regression due to referral realm

Henry B. Hotz hotz at
Wed Feb 4 15:15:24 EST 2009

On Feb 4, 2009, at 9:14 AM, krbdev-request at wrote:

> It seems to me that mostly this will be hit when doing initial
> authentication with a keytab. One way to mitigate that problem would  
> be
> to modify krb5_get_init_creds_keytab() to check the client principal  
> to
> see if it is using a referral realm. If it is then take the first
> matching principal from the keytab and use that principal's realm.
> I've got code to do this and can supply a patch.

Sounds good, modulo whatever you mean by "matching principal".

As a tangental nit, I wish the list of supported enctypes sent by  
krb5_get_init_creds_keytab() was limited to those actually in the  
keytab file (that are also supported by the library in question of  
course).  Since this has been discussed in the past, it's possible you- 
all have taken care of it, and I'm out of date.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list