Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10
hartmans at MIT.EDU
Tue Dec 30 14:36:32 EST 2008
Luke, I have one question.
KRB5_PRINCIPAL_UNPARSE_SHORT omits the local realm.
What does that actually mean. The code seems to use the default
realm. However MIT Kerberos's concept of default realm does not map
particularly well say onto AD's concept of the local domain. The
default realm is the realm that will be added to a principal if no
other realm is specified. It does not imply trust, is may not be the
same at the client's realm, it may not be the same as the realm of the
current KDC, etc. The workstation may not be registered in the
default realm and may not happen to trust KDCs from the default realm.
I'm wondering if this is the intended meaning of the flag. I'm also
wondering whether the use of UNPARSE_SHORT in pac.c is appropriate
given these constraints on the default realm.
More information about the krbdev