On 06/11/2013 11:41 AM, Jan-Marek Glogowski wrote: > The following question came to my mind: Can there be multiple keys with > the same encryption type and matching principal in the same keytab?
Absolutely. The server argument might even be NULL, in which case krb5_sname_match() will always return true. > If there might be multiple matches, the alternative second patch would > catch the last error from try_one_entry, which might be more helpful > then the current situation. That would have the unfortunate side effect of turning legitimate wrong-principal errors into KRB5KRB_AP_ERR_BAD_INTEGRITY errors. The current error handling does make it hard to disagnose a number of server misconfigurations. This one is pretty easy to detect at a higher layer (if req->ticket->enc_part.enctype isn't valid or permitted, return an error before even looking at the keytab), but some others are trickier, such as an out-of-date keytab. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
