Review of ending January 10

Luke Howard lukeh at
Tue Dec 30 20:23:29 EST 2008

On 31/12/2008, at 6:36 AM, Sam Hartman wrote:

> Luke, I have one question.
> KRB5_PRINCIPAL_UNPARSE_SHORT  omits the local realm.
> What does that actually mean.  The code seems to use the default
> realm.  However MIT Kerberos's concept of default realm does not map
> particularly well say onto AD's concept of the local domain.  The
> default realm is the realm that will be added to a principal if no
> other realm is specified.  It does not imply trust, is may not be the
> same at the client's realm, it may not be the same as the realm of the
> current KDC, etc.  The workstation may not be registered in the
> default realm and may not happen to trust KDCs from the default realm.
> I'm wondering if this is the intended meaning of the flag.  I'm also
> wondering whether the use of UNPARSE_SHORT in pac.c is appropriate
> given these constraints on the default realm.

I had assumed that the default realm would be the local domain  
(perhaps because historically I'd been more concerned with KDC rather  
than client implementation, and one generally has some more control  
over the KDC configuration).

So: the answer is, I need to think about this some more. I believe  
Heimdal has a similar issue.


More information about the krbdev mailing list