issue with MIT KDC and LDAP DS
ghudson at MIT.EDU
Sun May 24 11:25:36 EDT 2009
On Fri, 2009-05-22 at 19:59 -0400, Jeffrey Hutzelman wrote:
> Unfortunately, that error wasn't defined in RFC1510, and there are still
> clients deployed which don't behave that way, and which treat _any_ error
> response from a KDC as that realm's final word on the request
> (particularly, any response at all from a KDC is enough to escape
> send_to_kdc). For example, I don't know if current versions of Heimdal
> handle this correctly, but I know we have clients deployed that do not.
Just a factual note: from inspection of the Heimdal source code, it has
apparently handled KDC_ERR_SVC_UNAVAILABLE since June 2007 on the trunk,
slightly predating the 1.0 release branch.
More information about the krbdev