On 07/31/2014 03:24 AM, Michael Osipov wrote:
> That sounds reasonable and should solve the issue. Albeit, I do think that
> the detection
> algorithm could be better and pursue a best-effort/match/seldom-fail
> approach. It make the
> entire process idiot-proof.
I have opened a ticket for this:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
I'm not sure if the process can be made completely idiot-proof, but it
can certainly work better for the case where someone manually obtains
credentials for the same principal as the one in the client keytab. If
a person gets credentials for a different principal, it's harder to be
predictable.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
