regression due to referral realm

[Nicolas Williams]

On Tue, Feb 10, 2009 at 02:06:39PM -0500, Tom Yu wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> 
> > On Tue, Feb 10, 2009 at 01:34:32PM -0500, Sam Hartman wrote:
> >> Hmm.  I would have assumed you wanted to substitute in the default
> >> realm or the realm of the host.  However this fix seems reasonable if
> >> more complicated behavior than the previous code.
> >
> > In a zero-conf world there may not be a default realm.  The realm of the
> > host is a reasonable approach, though it does require searching for it.
> 
> If you have a keytab, you are almost by definition not zero-conf.

I don't agree.

You can have a machine account and still not have a suitable notion of
default realm.

In our case this bug caused a regression.  One way to deal with this is
to use the default realm and then change the realm-join code in the CIFS
server to always ensure that default realm is set.  Mark's solution is
more fool-proof and self-contained than that.

Arguably it could cause the system to be a bit more sensitive to keytab
entry order in the very rare case that you have something like this: a)
machine accounts for the same machine name in multiple realms, b) no
default realm, *and* c) you actually care as to which machine name will
be used in krb5_get_init_creds_keytab() cases.  (b) could be made a
non-issue by trying the use of a default realm first, if there is one,
but I don't think (c) will ever be true given (a).  (And, given (a),
it's not necessarily the case that the host's realm can be determined in
a deterministic way either.)

Nico
--