Logic behind lib/krb5/os/k5_sendto()

Greg Hudson ghudson at mit.edu
Fri Apr 19 10:35:17 EDT 2019

On 4/19/19 4:49 AM, Дилян Палаузов wrote:
> thank for your answers.  On Monday I asked, if k5_sendto receives an answer from a KDC, that the realm is non-local,
> does it retry to the other KDCs, here asking the same process over a different transport protocol.

Your question was about a specific function in the client code and you
didn't specify the KDC implementation.  I took "the realm is non-local"
to mean that the KDC had some knowledge of the correct realm as a
foreign realm.  Sorry for the miscommunication.

In the scenario where the client uses the wrong realm case (so the realm
lookup succeeds in DNS due to case-insensitivity there), with all MIT
krb5 components, a typical result is the following:

  $ kinit ghudson at athena.mit.edu
  kinit: Client 'ghudson at athena.mit.edu' not found in Kerberos database
while getting initial credentials

Here the KDC issues a KDC_ERR_C_PRINCIPAL_UNKNOWN error (because it
looks up ghudson at athena.mit.edu in its database and does not find it)
and the client does not retry.

More information about the krbdev mailing list