KDB and referrals/aliases
Greg Hudson
ghudson at MIT.EDU
Wed Sep 2 13:36:10 EDT 2009
On Tue, 2009-09-01 at 13:42 -0400, Luke Howard wrote:
> Finally, note that for ease of implementation, the backend can always
> return the canonical principal name: the KDC will determine which name
> to return to the client based on its own policy and the setting of the
> canonicalize KDC option.
I'm not sure in what sense this is true. If I remove the
KRB5_KDB_FLAG_CANONICALIZE check from our LDAP back end, then the
behavior of the as-req path changes noticeably:
1. kinit realname --> tickets
2. kinit aliasname --> working tickets as aliasname
3. kinit -C aliasname --> tickets as realname
In current 1.7, case 2 results in a lookup failure.
More information about the krbdev
mailing list