|KDC should not check transited policy on intermediat tgts
|Thu, 3 Apr 2003 11:09:25 -0500 (EST)
|hartmans@MIT.EDU (Sam Hartman)
Section 1.1 of Kerberos clarifications recommends that even if the KDC
is doing transited policy checking, only the KDC closest to the
application should do so. I propose that we make krb5_rd_req have an
option to turn TP checking into a non-fatal condition and use this
option to avoid doing TP checking on intermediate KDCs.
I don't think this should be a 1.3 feature although I would like to
see it in 1.3.1.