Srinivas Kakde <[EMAIL PROTECTED]> writes: > There is an old posting to samba-technical > > http://lists.samba.org/archive/samba-technical/2007-July/054354.html > > This message says: From a security standpoint, allowing the server to > specify its service principal is a "bad idea". > > Why it a bad idea?
If the client trusts the server's assertion of what Kerberos service it is, a server with any service principal in either the client's realm or a realm with which it has cross-realm trust can then pretend to be any service without failing mutual authentication. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
