question about krb5_verify_init_creds() and verify_ap_req_nofail

Will Fiveash will.fiveash at
Mon Jan 10 18:31:20 EST 2011

I was looking at krb5_verify_init_creds() in
src/lib/krb5/krb/vfy_increds.c and comparing it to the Solaris variant,


and I'm confused in regards to the handling of the
KRB5_CONF_VERIFY_AP_REQ_NOFAIL ("verify_ap_req_nofail") option.  What
confuses me is that the MIT code (and Solaris to a lesser degree) does a
number of things that could cause krb5_verify_init_creds() to return an
error before checking the setting of KRB5_CONF_VERIFY_AP_REQ_NOFAIL and
I'm wondering if this is correct.  Basically shouldn't
verify_ap_req_nofail be checked first and if it is false just return 0?

Will Fiveash
Sent using mutt, a sweet, text based e-mail app <>

More information about the krbdev mailing list