[19918] in Kerberos_V5_Development
Re: Logic behind lib/krb5/os/k5_sendto()
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F)
Thu Apr 18 17:09:04 2019
Message-ID: <0632d95891c794e045e4d857898abb2a668555bd.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?=
=?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?=
<dilyan.palauzov@aegee.org>
To: Greg Hudson <ghudson@mit.edu>, krbdev@mit.edu
Date: Thu, 18 Apr 2019 21:08:43 +0000
In-Reply-To: <ed276b3e-ce80-eb58-6ca7-4c2ccbe39d87@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Greg,
> If example.org issues a client referral (KDC_ERR_WRONG_REALM) to
> EXAMPLE.ORG, k5_sendto() will return the error response, and the
> higher-level logic will (if canonicalization is enabled) retry with
> EXAMPLE.ORG, which will contact the same KDC.
Does krb5kdc return KDC_ERR_WRONG_REALM?
Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
happens, if host ab.cd.ef.gh calls “kinit ij@example.org”?
> The KDC does have a lookaside cache which records the responses to
> recent requests, so a retransmitted request should be processed with
> less effort than processing the original request.
Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?
Regards
Дилян
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
