issue with MIT KDC and LDAP DS

Greg Hudson ghudson at MIT.EDU
Sun May 24 11:25:36 EDT 2009

On Fri, 2009-05-22 at 19:59 -0400, Jeffrey Hutzelman wrote:
> Unfortunately, that error wasn't defined in RFC1510, and there are still 
> clients deployed which don't behave that way, and which treat _any_ error 
> response from a KDC as that realm's final word on the request 
> (particularly, any response at all from a KDC is enough to escape 
> send_to_kdc).  For example, I don't know if current versions of Heimdal 
> handle this correctly, but I know we have clients deployed that do not.

Just a factual note: from inspection of the Heimdal source code, it has
apparently handled KDC_ERR_SVC_UNAVAILABLE since June 2007 on the trunk,
slightly predating the 1.0 release branch.

More information about the krbdev mailing list