Logic behind lib/krb5/os/k5_sendto()
Thu Apr 18 17:08:43 EDT 2019
> If example.org issues a client referral (KDC_ERR_WRONG_REALM) to
> EXAMPLE.ORG, k5_sendto() will return the error response, and the
> higher-level logic will (if canonicalization is enabled) retry with
> EXAMPLE.ORG, which will contact the same KDC.
Does krb5kdc return KDC_ERR_WRONG_REALM?
Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
happens, if host ab.cd.ef.gh calls “kinit ij at example.org”?
> The KDC does have a lookaside cache which records the responses to
> recent requests, so a retransmitted request should be processed with
> less effort than processing the original request.
Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?
More information about the krbdev