Review of ending January 10

Luke Howard lukeh at
Fri Jan 2 17:01:21 EST 2009

According to the spec it's always unqualified except for the case of  
cross-realm S4U2Self referrals. See [MS-KILE] Appendix A<9>.

Does it create a problem? Possibly, if two identically named accounts  
in different domains can collude and swap their PACs to the same  
service (and they have the same authtime). I would need to think about  
it some more. Surely Microsoft have thought about this case.


On 03/01/2009, at 5:30 AM, Sam Hartman wrote:

>>>>>> "Luke" == Luke Howard <lukeh at> writes:
>    Luke> On 01/01/2009, at 3:43 AM, Love Hörnquist Åstrand
>    Luke> wrote:
>>> Sam, Luke,
>>> In heimdal I use KRB5_PRINCIPAL_UNPARSE_NO_REALM for the logon
>>> name, and not SHORT name.
>    Luke> OK, fixed in r21656.
> Does this create a problem if you have cross-domain PACs?

-- |

More information about the krbdev mailing list