[3557] in Kerberos-V5-bugs
[krbdev.mit.edu #1230] Hierarchical cross-realm seems broken
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Sun Oct 27 15:26:13 2002
Message-Id: <rt-1230-3230.19.057098687435@krbdev.mit.edu>
In-Reply-To: <rt-1230@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Sun, 27 Oct 2002 15:25:01 -0500 (EST)
The behavior described here should work as I understand the code. I'm able to reproduce in a test setup as follows:
* FOO.SUCHDAMAGE.ORG shares a key with SUCHDAMAGE.ORG
* I get FOO.SUCHDAMAGE.ORG tickets and ask for tickets in the Athena realm.
* Since SUCHDAMAGE.ORG and ATHENA share tickets, and since the step
from foo.suchdamage.org to suchdamage.org is hierarchical, this
should be allowed.
However here is what I see:
hartmans@tir-na-nogth:bar-test(1414)> ./kinit hartmans
Password for hartmans@FOO.SUCHDAMAGE.ORG:
hartmans@tir-na-nogth:bar-test(1415)> ./kvno host/luminous.mit.edu@ATHENA.MIT.EDU
host/luminous.mit.edu@ATHENA.MIT.EDU: Invalid message type while getting credentials
hartmans@tir-na-nogth:bar-test(1416)> ./kvno host/luminous.mit.edu@ATHENA.MIT.EDU
host/luminous.mit.edu@ATHENA.MIT.EDU: KDC policy rejects request while getting credentials
hartmans@tir-na-nogth:bar-test(1417)>
So, I think this is broken.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
