Subject: | keytab code can't match principals with realms not yet determined |
The new referral support code puts determination of the realm of a
service on the KDC. On the client side, in krb5_sname_to_principal, if
we don't have explicit data in the config file (or supplied by the
application), we leave the realm as an empty string rather than applying
unreliable heuristics.
However, if the resulting principal name is used to look up an entry in
a keytab, rather than as the server name to pass off to a KDC, it will
not match any of the entries in the file.
Proposed fix: If an empty realm name is given to the keytab-reading
code, the default realm is used instead.
service on the KDC. On the client side, in krb5_sname_to_principal, if
we don't have explicit data in the config file (or supplied by the
application), we leave the realm as an empty string rather than applying
unreliable heuristics.
However, if the resulting principal name is used to look up an entry in
a keytab, rather than as the server name to pass off to a KDC, it will
not match any of the entries in the file.
Proposed fix: If an empty realm name is given to the keytab-reading
code, the default realm is used instead.