[11439] in Kerberos-V5-bugs
[krbdev.mit.edu #6673] S4U2Proxy and kvno error
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Mar 5 15:25:44 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6673@krbdev.mit.edu>
Message-ID: <rt-6673-32562.5.31513833020362@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6673'":;"'AdminCc of krbdev.mit.edu Ticket #6673'":;@MIT.EDU
Date: Fri, 5 Mar 2010 15:25:41 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
The reason for not matching the name is to work with service aliases.
See http://k5wiki.kerberos.org/wiki/Projects/Aliases, specifically the
section "Server Principals". There was also some discussion of this on
krbdev in December 2008 starting here:
http://mailman.mit.edu/pipermail/krbdev/2008-December/007154.html
The change being discussed there was to krb5_rd_req, and the change to
krb5_server_decrypt_ticket_keytab didn't happen until it was necessary
in order to make S4U testing with kvno work. But the reasoning is the same.
I don't know the best resolution for your use case, because I'm not
familiar enough with AD to underestand why you'd have multiple entries
in a keytab for the same key with different names.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
