regression due to referral realm
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Feb 4 15:15:24 EST 2009
On Feb 4, 2009, at 9:14 AM, krbdev-request at mit.edu wrote:
> It seems to me that mostly this will be hit when doing initial
> authentication with a keytab. One way to mitigate that problem would
> be
> to modify krb5_get_init_creds_keytab() to check the client principal
> to
> see if it is using a referral realm. If it is then take the first
> matching principal from the keytab and use that principal's realm.
> I've got code to do this and can supply a patch.
Sounds good, modulo whatever you mean by "matching principal".
As a tangental nit, I wish the list of supported enctypes sent by
krb5_get_init_creds_keytab() was limited to those actually in the
keytab file (that are also supported by the library in question of
course). Since this has been discussed in the past, it's possible you-
all have taken care of it, and I'm out of date.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list