Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.10.161]) by krbdev.mit.edu (8.9.3p2) with ESMTP id MAA27087; Wed, 21 Jul 2004 12:25:28 -0400 (EDT)
Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated bits=0) by ginger.cmf.nrl.navy.mil (8.12.11/8.12.11) with ESMTP id i6LGPMRZ001927 for <rt@krbdev.mit.edu>; Wed, 21 Jul 2004 12:25:23 -0400 (EDT)
Message-Id: <200407211625.i6LGPMRZ001927@ginger.cmf.nrl.navy.mil>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2641] KRB5_KDB_DISALLOW_SVR flag unnecessarily prevents User2User 
In-Reply-To: <rt-2641-11497.2.05374823398373@krbdev.mit.edu> 
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Wed, 21 Jul 2004 12:25:23 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
X-Spam-Score: () hits=0 User Authenticated
X-Virus-Scanned: NAI Completed
X-Scanned-BY: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)
RT-Send-Cc: 
X-RT-Original-Encoding: iso-8859-1
Content-Length: 719

>    kenh@cmf> FWIW, I think people expect U2U to work all of the time
>    kenh@cmf> (while I think that there may be some reason I can't
>    kenh@cmf> imagine for people to want to turn it off, all of the
>    kenh@cmf> ones I'm aware of are inadvertent because they turned
>    kenh@cmf> off allow_svr on user principals).  And as I read
>    kenh@cmf> things, allow_svr is off by default.
>
>I'm thinking of cases where the principal is partially or fully
>disabled.

By "fully" disabled, you mean they set DISALLOW_ALL_TIX, right?  As
I read the patch, that wouldn't affect that; if you set it, it would
still disallow U2U for that principal.  And I guess I don't know
what partially disabled is, exactly.

--Ken