Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: hartmans@mit.edu Subject: SVN Commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1860 Set the canonicalize flag in TGS requests and accept cross-realm referral tickets. We do not yet accept tickets in which the server name changes. * krb5_sname_to_principal: If there is no domain realm mapping return null realm *krb5_get_cred_via_tkt: New behavior as described below 1) the referrals case: - check for TGT for initial realm - if a remote realm was specified (which must have happened via a domain_realm mapping), obtain a TGT for it the standard way and start with that. - use client realm for server if not specified - iterate through this loop: - request ticket with referrals turned on - if that fails: - if this was the first request, punt to non-referrals case - otherwise, retry once without referrals turned on then terminate either way - if it works, either use the service ticket or follow the referral path - if loop count exceeded, hardfail 2) the nonreferrals case - this is mostly the old walk_realm_tree TGT-finding (which allows limited shortcut referrals per 4120) followed by a standard tgs-req. - originally requested principal is used for this, although if we were handed something without a realm, determine a fallback realm based on DNS TXT records or a truncation of the domain name. Commit By: hartmans Revision: 18598 Changed Files: _U trunk/ U trunk/src/appl/telnet/libtelnet/kerberos5.c U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/copy_princ.c U trunk/src/lib/krb5/krb/gc_frm_kdc.c U trunk/src/lib/krb5/krb/gc_via_tkt.c U trunk/src/lib/krb5/krb/parse.c U trunk/src/lib/krb5/krb/princ_comp.c U trunk/src/lib/krb5/krb/walk_rtree.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/os/hst_realm.c U trunk/src/lib/krb5/os/sn2princ.c U trunk/src/lib/krb5_32.def