AD-SIGNEDPATH and cross-realm

Sam Hartman hartmans at MIT.EDU
Thu Feb 4 13:40:04 EST 2010

>>>>> "ghudson" == ghudson  <ghudson at MIT.EDU> writes:

    ghudson> * If AD-SIGNEDPATH is present in the ticket and checksum
    ghudson> verification fails, we reject the TGS request even if we
    ghudson> would have accepted the ticket without AD-SIGNEDPATH at all
    ghudson> (i.e. it's not an S4U2Proxy request).  I'm pretty sure we
    ghudson> want to be more like Heimdal, and merely disallow the
    ghudson> ticket as an S4U2Proxy subject ticket if verification
    ghudson> fails.  I am likely to make this change.

I think this is a really good change

More information about the krbdev mailing list