[19919] in Kerberos_V5_Development
Re: Logic behind lib/krb5/os/k5_sendto()
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Apr 18 17:48:33 2019
To: =?UTF-8?B?0JTQuNC70Y/QvSDQn9Cw0LvQsNGD0LfQvtCy?=
<dilyan.palauzov@aegee.org>,
<krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <05104129-9364-8d63-7266-3444c28545d1@mit.edu>
Date: Thu, 18 Apr 2019 17:48:05 -0400
MIME-Version: 1.0
In-Reply-To: <0632d95891c794e045e4d857898abb2a668555bd.camel@aegee.org>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 4/18/19 5:08 PM, Дилян Палаузов wrote:
> Does krb5kdc return KDC_ERR_WRONG_REALM?
The MIT KDC only returns KDC_ERR_WRONG_REALM if it looks up the client
principal and gets a realm referral from the database. This typically
requires a third-party database module like Samba or FreeIPA.
> Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
> happens, if host ab.cd.ef.gh calls “kinit ij@example.org”?
The client hostname doesn't normally have an impact on AS requests.
> Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?
Yes; it just maps request packets to reply packets, so any kind of reply
packet is cached.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
