Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10
Luke Howard
lukeh at padl.com
Tue Dec 30 20:23:29 EST 2008
On 31/12/2008, at 6:36 AM, Sam Hartman wrote:
> Luke, I have one question.
> KRB5_PRINCIPAL_UNPARSE_SHORT omits the local realm.
>
> What does that actually mean. The code seems to use the default
> realm. However MIT Kerberos's concept of default realm does not map
> particularly well say onto AD's concept of the local domain. The
> default realm is the realm that will be added to a principal if no
> other realm is specified. It does not imply trust, is may not be the
> same at the client's realm, it may not be the same as the realm of the
> current KDC, etc. The workstation may not be registered in the
> default realm and may not happen to trust KDCs from the default realm.
>
>
> I'm wondering if this is the intended meaning of the flag. I'm also
> wondering whether the use of UNPARSE_SHORT in pac.c is appropriate
> given these constraints on the default realm.
I had assumed that the default realm would be the local domain
(perhaps because historically I'd been more concerned with KDC rather
than client implementation, and one generally has some more control
over the KDC configuration).
So: the answer is, I need to think about this some more. I believe
Heimdal has a similar issue.
--luke
More information about the krbdev
mailing list