regression due to referral realm
Mark Phalan
Mark.Phalan at Sun.COM
Thu Feb 5 08:59:14 EST 2009
On Wed, 2009-02-04 at 12:15 -0800, Henry B. Hotz wrote:
> On Feb 4, 2009, at 9:14 AM, krbdev-request at mit.edu wrote:
>
> > It seems to me that mostly this will be hit when doing initial
> > authentication with a keytab. One way to mitigate that problem would
> > be
> > to modify krb5_get_init_creds_keytab() to check the client principal
> > to
> > see if it is using a referral realm. If it is then take the first
> > matching principal from the keytab and use that principal's realm.
> > I've got code to do this and can supply a patch.
>
>
> Sounds good, modulo whatever you mean by "matching principal".
A matching principal is one which is identical to one being searched for
apart from its realm. i.e. if searching for
host/foo.bar.com@""
then
host/foo.bar.com at ACME.COM or host/foo.bar.com at ACME2.COM
are matching principals.
-M
More information about the krbdev
mailing list