regression due to referral realm

Nicolas Williams Nicolas.Williams at
Wed Feb 4 11:20:09 EST 2009

On Wed, Feb 04, 2009 at 10:51:34AM +0100, Mark Phalan wrote:
> It seems to me that mostly this will be hit when doing initial
> authentication with a keytab. One way to mitigate that problem would be
> to modify krb5_get_init_creds_keytab() to check the client principal to
> see if it is using a referral realm. If it is then take the first
> matching principal from the keytab and use that principal's realm.
> I've got code to do this and can supply a patch.

I agree.  This is basically a zero-conf bug affecting apps that a) use
keytabs to acquire initial credentials, and b) use
krb5_sname_to_principal() instead of krb5_parse_name() to get the client

Such apps can be raw krb5 API apps, GSS-API apps, and even scripts
around kinit (see Mark's note).

Mark's fix involves adding a function that takes a krb5_principal with a
referral realm that then searches a given keytab for a matching entry
(where the match obviously excludes the realm part).  That's likely to
raise some eyebrows, or at least this one:

    Should keytabs be searched front to back or back to front?  They are
    usually appended to...  This is, of course, a long-standing
    question, for me at least.

In any case, the work-around for keytab search order issues is always to
use ktutil to create a keytab with entries in the correct order.


More information about the krbdev mailing list