Skip Menu |
 

History Show all quoted textShow full headers
# Thu Dec 06 20:43:22 2012 ghudson@mit.edu (Greg Hudson) - Ticket created
Subject: KDC can return host referral to its own realm
Download (untitled) / with headers
text/plain 593B
If we don't find the service principal in a TGS request, and it looks
like a host-based principal, we return a realm referral if we can look up
the realm in the KDC's domain_realm configuration.

We should not do this if the realm we find is the same as the service
realm. Receiving a referral back to the same realm is only going to
confuse the client. In the best case, the client will detect this case
and fall back to a request without the canonicalize flag (see #4955 and
#7016); in the worst case, the client might overwrite its cached local
TGT (reportedly true on OS X 10.7).
# Thu Dec 06 21:40:37 2012 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)
# Thu Dec 06 21:40:38 2012 ghudson@mit.edu (Greg Hudson) - Target_Version 1.11 added
# Thu Dec 06 21:40:38 2012 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'
# Thu Dec 06 21:40:38 2012 ghudson@mit.edu (Greg Hudson) - Tags pullup added
# Thu Dec 06 21:40:38 2012 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 570B

Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.

https://github.com/krb5/krb5/commit/ee0d5eac353a13a194759b72cb44203fda1bf0fa
Author: Greg Hudson <ghudson@mit.edu>
Commit: ee0d5eac353a13a194759b72cb44203fda1bf0fa
Branch: master
src/kdc/do_tgs_req.c | 4 +++-
src/tests/Makefile.in | 1 +
src/tests/t_referral.py | 21 +++++++++++++++++++++
3 files changed, 25 insertions(+), 1 deletions(-)
# Fri Dec 07 13:21:57 2012 tlyu (Taylor Yu) - Ticket 7483 RefersTo ticket 4955.
# Fri Dec 07 13:21:57 2012 tlyu (Taylor Yu) - Ticket 7483 RefersTo ticket 7016.
# Fri Dec 07 13:24:09 2012 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Fri Dec 07 13:24:09 2012 tlyu (Taylor Yu) - Version_Fixed 1.11 added
# Fri Dec 07 13:24:09 2012 tlyu (Taylor Yu) - Correspondence added
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 676B

Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.

(cherry picked from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)

https://github.com/krb5/krb5/commit/890ab3119c83c0adc0b61c1c389356b83090c8ee
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 890ab3119c83c0adc0b61c1c389356b83090c8ee
Branch: krb5-1.11
src/kdc/do_tgs_req.c | 4 +++-
src/tests/Makefile.in | 1 +
src/tests/t_referral.py | 21 +++++++++++++++++++++
3 files changed, 25 insertions(+), 1 deletions(-)
# Wed Dec 16 18:02:59 2015 tlyu (Taylor Yu) - CustomField pullup deleted