Bug#482681: krb5 - NEWS file does not match documentation

Wed, 04 Jun 2008 07:56:46 -0700 

>>>>> "Bastian" == Bastian Blank <[EMAIL PROTECTED]> writes:

    Bastian> On Sat, May 24, 2008 at 10:05:26AM -0700, Russ Allbery
    Bastian> wrote:
    >> NEWS.Debian is correct.  The documentation predates referral
    >> support.  Thanks, I'll work on getting this fixed, hopefully
    >> for the next upstream release.

    Bastian> I was not able to find that in the code, but some parts
    Bastian> of the old behaviour seems to be still there:

    Bastian> | $ kvno host/$somehost@ | kvno: KDC returned error
    Bastian> string: PROCESS_TGS while getting credentials for
    Bastian> host/$somehost@ | $ klist | Default principal:
    Bastian> [EMAIL PROTECTED]
    Bastian> | 
    Bastian> | Valid starting Expires Service principal | 06/03/08
    Bastian> 15:13:13 06/04/08 01:13:13 krbtgt/[EMAIL PROTECTED]
    Bastian> | renew until 06/04/08 15:13:11 | 06/03/08 15:15:26
    Bastian> 06/04/08 01:13:13 krbtgt/[EMAIL PROTECTED] | renew until
    Bastian> 06/04/08 15:13:11

    Bastian> log: | TGS_REQ [...]: UNKNOWN_SERVER: authtime
    Bastian> 1212498967, [EMAIL PROTECTED] for
    Bastian> host/[EMAIL PROTECTED], Server not found in Kerberos
    Bastian> database | TGS_REQ [...]: ISSUE: authtime 1212498967,
    Bastian> etypes {rep=18 tkt=18 ses=18}, [EMAIL PROTECTED] for
    Bastian> krbtgt/[EMAIL PROTECTED]

    Bastian> After trying to find the principal in the default realm,
    Bastian> it seems to use the old behaviour and tries to find a
    Bastian> trust path to the domain derived realm. The domain_realm
    Bastian> section in the config is empty.

The news file talks about a change in how servers find their own keys,
not about the client side behavior.  It's true that the client side
behavior has changed, but the ideal is that if your KDC does not
return referrals then the only client-side difference you should see
is some null realms in klist output.  We have not quite reached that
ideal yet.  However the server behavior has changed regarding where a
server expects to find its key in a keytab, prompting the news entry.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to