Logic behind lib/krb5/os/k5_sendto()

Дилян Дилян
Fri Apr 19 04:49:15 EDT 2019

Hello Greg,

thank for your answers.  On Monday I asked, if k5_sendto receives an answer from a KDC, that the realm is non-local,
does it retry to the other KDCs, here asking the same process over a different transport protocol.  

You answered, that on a client referral (KDC_ERR_WRONG_REALM) answer, k5_sendto() will return the error response, and
the higher-level logic will (if canonicalization is enabled) retry with the uppercased domain, which will contact the
same KDC.

If kdb5kdc determines that the realm is non local and no canonicalization is done or referrals are issued, does the
client / k5_sendto() retry asking other KDCs, in my case asking the same process over a different transport (UPD→TCP)?


On Thu, 2019-04-18 at 17:48 -0400, Greg Hudson wrote:
> On 4/18/19 5:08 PM, Дилян Палаузов wrote:
> > Does krb5kdc return KDC_ERR_WRONG_REALM?
> The MIT KDC only returns KDC_ERR_WRONG_REALM if it looks up the client
> principal and gets a realm referral from the database.  This typically
> requires a third-party database module like Samba or FreeIPA.
> > Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
> > happens, if host ab.cd.ef.gh calls “kinit ij at example.org”?
> The client hostname doesn't normally have an impact on AS requests.
> > Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?
> Yes; it just maps request packets to reply packets, so any kind of reply
> packet is cached.

More information about the krbdev mailing list