Am 2014-07-31 um 17:52 schrieb Greg Hudson: > On 07/31/2014 03:24 AM, Michael Osipov wrote: >> That sounds reasonable and should solve the issue. Albeit, I do think that >> the detection >> algorithm could be better and pursue a best-effort/match/seldom-fail >> approach. It make the >> entire process idiot-proof. > > I have opened a ticket for this: > > http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
Great, waiting for this in 1.13 eagerly. > I'm not sure if the process can be made completely idiot-proof, but it > can certainly work better for the case where someone manually obtains > credentials for the same principal as the one in the client keytab. It would be better, at least. > If a person gets credentials for a different principal, it's harder to be > predictable. If principals do not match, I would it expect to fail explicitly. Unless someone uses a DIR-style CC and knows how to operate with kswitch. Michael ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
