[Fwd: Re: [PATCH] keytab management for ADS mode.]
Luke Howard
lukeh at PADL.COM
Sun Feb 1 21:10:58 GMT 2004
>My experience was that kinit, or rather the krb5 client libs, don't like
>when tickets come back for a different principal that they were requested
>for...so the 2k KDC was sending them back OK, but kinit barfed. Does this
>bit make them come back in the same format(seems like it would do the
>opposite)?
The bit makes them come back in the canonical form (e.g. HOST$). It's
likely that unless this bit is set you can't have an alias in the
client name field of an AS-REQ.
In order to support name canonicalization the Kerberos client
libraries and/or kinit also need to deal with the name returned being
different to that requested. Whether you want to allow this
generally is a question of security policy.
-- Luke
More information about the samba-technical
mailing list