regression due to referral realm

Mark Phalan Mark.Phalan at Sun.COM
Thu Feb 5 08:59:14 EST 2009

On Wed, 2009-02-04 at 12:15 -0800, Henry B. Hotz wrote:
> On Feb 4, 2009, at 9:14 AM, krbdev-request at wrote:
> > It seems to me that mostly this will be hit when doing initial
> > authentication with a keytab. One way to mitigate that problem would  
> > be
> > to modify krb5_get_init_creds_keytab() to check the client principal  
> > to
> > see if it is using a referral realm. If it is then take the first
> > matching principal from the keytab and use that principal's realm.
> > I've got code to do this and can supply a patch.
> Sounds good, modulo whatever you mean by "matching principal".

A matching principal is one which is identical to one being searched for
apart from its realm. i.e. if searching for



host/ at ACME.COM or host/ at ACME2.COM

are matching principals.


More information about the krbdev mailing list