To: | rt@krbdev.mit.edu |
Date: | Sun, 28 Mar 2021 12:36:21 -0400 |
Subject: | KCM interop issue with KRB5_TC_ flags |
From: | ghudson@mit.edu |
MIT krb5 defines KRB5_TC_ flag bits from 0x1 to 0x200. Heimdal defines them from 1<<31 to 1<<22 so that the same flag word can also contain KRB5_GC_ flags (see lib/krb5/get_cred.c:check_cc() for instance).
In the KCM protocol, flag words containing KRB5_TC_ flag bits are used in the RETRIEVE and REMOVE_CRED operations. We don't currently use RETRIEVE, but we do use REMOVE_CRED. If any flags are specified for this operation, Heimdal/Apple KCM servers won't see our flags and sssd won't see their flags.
In the KCM protocol, flag words containing KRB5_TC_ flag bits are used in the RETRIEVE and REMOVE_CRED operations. We don't currently use RETRIEVE, but we do use REMOVE_CRED. If any flags are specified for this operation, Heimdal/Apple KCM servers won't see our flags and sssd won't see their flags.