tkt->client must be equal to in_cred->client

Sam Hartman hartmans at MIT.EDU
Wed Feb 25 09:45:18 EST 2009

>>>>> "Nikhil" == Nikhil Mishra <nikhilm at> writes:

    Nikhil> Hi All , I have been working on developing client support
    Nikhil> for MS S4U extensions in MIT kerberos .

I'd really recommend you sit down and do a project writeup on; you should have access there.

I think it would be a lot easier for me to evaluate what you're doing
with a reasonably complete design layed out rather than one chunk at a

For example it is not obvious to me that krb5_get_credentials is the
right place to do this.  Unfortunately, krb5_get_credentials is not a
very extensible API.  the credentials structure is public so it cannot
change.  It may well be that when you think through all the options,
this is the best choice; I expect you've thought through these issues,
but the rest of us have not, and as a result have trouble following

    Nikhil> 2. In krb5_get_cred_via_tkt() there is a strict checking
    Nikhil>      /* tkt->client must be equal to in_cred->client */ if
    Nikhil> (!krb5_principal_compare(context, tkt->client,
    Nikhil> in_cred->client)) return KRB5_PRINC_NOMATCH;

    Nikhil>     Why are we checking for this equality here ?

As best I can tell, it's a local sanity check. in_cred->client is the
client identity on whose behalf you're getting a ticket.  In the
Kerberos protocol without SX4U that identity only appears in the
ticket.  So if that check is not present, the API effectively has a
client parameter that is never actually checked.

I think relaxing the check in the SX4U case would be reasonable.

Since krb5_get_cred_via_tkt is an internal API, it might also be
reasonable to move the check into its callers if they are in a better
position to know whether SX4U is happening.


More information about the krbdev mailing list