Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input

Nico Williams nico at
Fri Oct 14 17:15:51 EDT 2011

On Fri, Oct 14, 2011 at 3:47 PM, Sam Hartman <hartmans at> wrote:
> I don't have a problem if someone proposes updating my patch with a
> single search entry support.  (It's possible to do multiple search
> entries against a KDC with significantly more code restructuring.)
> However it's sounding like people agree that the patch would be an
> improvement and doesn't sound like it creates trouble for things we want
> or might want in the future.

My patches are rather non-intrusive, actually, since the two main
functions where we need the list applied can be trivially wrapped:
krb5_get_credentials() and krb5_kt_get_entry().  An async
krb5_get_credentials() extension, done right (you'd have to try hard
to get it wrong, I think), would also result in a very unintrusive
just-wrap-it implementation.


More information about the krbdev mailing list