Skip Menu |
 

Subject: Use fallback realm in ccache selection
When we added referral support, we divided the host-to-realm facilities
into authoritative (such as [domain_realm] configuration) and fallback
(such as uppercasing the parent domain). Authoritative results are used
prior to referrals, while fallback results are used only after we try to
get a referral from the local KDC.

ccache selection via krb5_cc_select() cannot make use of referrals
because we haven't yet chosen what ccache to use for the TGS request.
So it probably makes sense to use the fallback realm when selecting the
ccache.