Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR

Klaus Heinrich Kiwi klausk at
Thu Jun 19 09:16:16 EDT 2008

On Wed, 2008-06-18 at 16:54 -0400, Ken Raeburn wrote:
> I think it should be pointed out that such a change would allow  
> tickets to start being issued where currently they would not when the  
> KDC software gets updated -- even if the latter really was the intent  
> of the realm administrator.  Because of that, we might instead want to  
> create a new flag with the semantics Jeff wants, and leave the  
> existing flag with its current (suboptimal) behavior.

Sorry if this question sounds silly, but how much of both these
solutions are implementation specific? Wouldn't such a change require
changes to the current RFC?


Klaus Heinrich Kiwi <klausk at>
Linux Security Development, IBM Linux Technology Center

More information about the krbdev mailing list