Logic behind lib/krb5/os/k5_sendto()

Дилян Дилян
Thu Apr 18 17:08:43 EDT 2019

Hello Greg,

> If example.org issues a client referral (KDC_ERR_WRONG_REALM) to
> EXAMPLE.ORG, k5_sendto() will return the error response, and the
> higher-level logic will (if canonicalization is enabled) retry with
> EXAMPLE.ORG, which will contact the same KDC.

Does krb5kdc return KDC_ERR_WRONG_REALM?

Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
happens, if host ab.cd.ef.gh calls “kinit ij at example.org”?

> The KDC does have a lookaside cache which records the responses to
> recent requests, so a retransmitted request should be processed with
> less effort than processing the original request.

Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?


More information about the krbdev mailing list