KDB and referrals/aliases
Luke Howard
lukeh at padl.com
Wed Sep 2 13:46:53 EDT 2009
On 02/09/2009, at 7:36 PM, Greg Hudson wrote:
> On Tue, 2009-09-01 at 13:42 -0400, Luke Howard wrote:
>> Finally, note that for ease of implementation, the backend can always
>> return the canonical principal name: the KDC will determine which
>> name
>> to return to the client based on its own policy and the setting of
>> the
>> canonicalize KDC option.
>
> I'm not sure in what sense this is true. If I remove the
> KRB5_KDB_FLAG_CANONICALIZE check from our LDAP back end, then the
> behavior of the as-req path changes noticeably:
>
> 1. kinit realname --> tickets
> 2. kinit aliasname --> working tickets as aliasname
> 3. kinit -C aliasname --> tickets as realname
>
> In current 1.7, case 2 results in a lookup failure.
What I meant was, when returning an alias, there is no need to set
entry.princ to the alias name.
-- Luke
More information about the krbdev
mailing list