Logic behind lib/krb5/os/k5_sendto()

Greg Hudson ghudson at mit.edu
Thu Apr 18 17:48:05 EDT 2019

On 4/18/19 5:08 PM, Дилян Палаузов wrote:
> Does krb5kdc return KDC_ERR_WRONG_REALM?

The MIT KDC only returns KDC_ERR_WRONG_REALM if it looks up the client
principal and gets a realm referral from the database.  This typically
requires a third-party database module like Samba or FreeIPA.

> Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
> happens, if host ab.cd.ef.gh calls “kinit ij at example.org”?

The client hostname doesn't normally have an impact on AS requests.

> Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?

Yes; it just maps request packets to reply packets, so any kind of reply
packet is cached.

More information about the krbdev mailing list