Thanks Steve. Per discussion with Emmanuel, +kerby@ mailing list.
>> that value shouldn't be hard-coded because there are cases where it needs to
>> have a different value.
Below is the only change the commit made so you meant it. The change is only
for makeTgsPrincipal method which only involves TGS principal (krbtgt), normal
server principal won't/shouldn't go here.
public static PrincipalName makeTgsPrincipal(String realm) {
String nameString = KrbConstant.TGS_PRINCIPAL + "/" + realm + "@" +
realm;
- return new PrincipalName(nameString, NameType.NT_PRINCIPAL);
+ return new PrincipalName(nameString, NameType.NT_SRV_INST);
One thing to clarify for confirm. In MIT kinit, any difference between the
resultant tickets, using a TGS-REQ with TGT and using -S/AS-REQ with password
and a normal server name (not TGS/krbtgt)?
I thought so but not confirmed. The both tickets will serve as service tickets
and can be sent to the target application server for authentication, right?
>> In the long run it might be easier to give the client a couple methods like:
>>1) retrieveTgt(AsRequest)
>>2) retrieveTgs(AsRequest)
To avoid confusion, how about retrieveTgt => retrieveSgt (for service ticket),
and retrieveTgs => retrieveTgt (for ticket granting ticket)?
Let's consider such ideas in near term and I thought it would be good to
relatively stabilize the API before 1.0.0.
I will assemble such inputs for refactoring client API and would take this
sometime later when have CMS/X509 types done with Jiajia. Thanks Steve for the
thoughts!
Regards,
Kai
-----Original Message-----
From: Steve Moyer [mailto:[email protected]]
Sent: Tuesday, November 24, 2015 12:04 AM
To: Apache Directory Developers List <[email protected]>
Subject: Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name type
for the TGS principal
Actually, that value shouldn't be hard-coded because there are cases where it
needs to have a different value. Take a look at the MIT kinit packet (with a -S
argument) that I captured and attached to DIRKRB-440. The MIT knit program
with a -S option actually retrieves a TGT with an associated server principal.
This is different from what happens when a TGS is granted using a TGT.
This is one of those cases we discussed in the thread with Emmanuel - the
KrbOption layer makes it tougher to handle both cases. It would be possible to
ad a KrbOption that specifies which NameType should be used with each request,
but that means the code will need to differentiate between the values. And I'm
not sure what sane default would be since it's normally a NameType(1) with a
TGT request and a NameType(2) with a TGS request (from my experience). I guess
maybe if a S-Principal is specified, require that the S-Principal-NameType also
be provided?
In the long run it might be easier to give the client a couple methods like:
1) retrieveTgt(AsRequest)
2) retrieveTgs(AsRequest)
and let the client user's code build the appropriate AsRequest.
Hope this helps!
Steve
--
“The mark of the immature man is that he wants to die nobly for a cause, while
the mark of the mature man is that he wants to live humbly for one.” - Wilhelm
Stekel
----- Original Message -----
From: "Kai Zheng (JIRA)" <[email protected]>
To: [email protected]
Sent: Friday, November 20, 2015 7:21:11 PM
Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for
the TGS principal
[
https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kai Zheng updated DIRKRB-464:
-----------------------------
Description: The correct name type should be KRB5_NT_SRV_INST (2), instead
of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows
Server 2008 R2 because the later insists on that. (was: The correct name type
should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).)
> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
> Key: DIRKRB-464
> URL: https://issues.apache.org/jira/browse/DIRKRB-464
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of
> kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows
> Server 2008 R2 because the later insists on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
