[15613] in Kerberos_V5_Development
Re: Is this TGS-REP legal now?
daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Mar 18 09:41:09 2010
MIME-version: 1.0
Date: Thu, 18 Mar 2010 21:40:14 +0800
From: Weijun Wang <Weijun.Wang@sun.com>
In-reply-to: <tslbpel22h2.fsf@mit.edu>
To: Sam Hartman <hartmans@mit.edu>
Message-id: <9161B5BF-D935-432A-88B1-34568EBE1322@Sun.COM>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
How do I interpret "the only case" below? It sounds like KDC should only return a referral if the request is for a TGT.
3.3.3. Generation of KRB_TGS_REP Message
The response will include a ticket for the requested server or for a
ticket granting server of an intermediate KDC to be contacted to
obtain the requested ticket. The Kerberos database is queried to
retrieve the record for the appropriate server (including the key
with which the ticket will be encrypted). If the request is for a
TGT for a remote realm, and if no key is shared with the requested
realm, then the Kerberos server will select the realm 'closest' to
the requested realm with which it does share a key and use that realm
instead. This is the only case where the response for the KDC will
*************
be for a different server than that requested by the client.
Thanks
Max
On Mar 18, 2010, at 9:17 PM, Sam Hartman wrote:
> RFC 4120 has always allowed a KDC to return a referral to a different
> realm than the one requested by the client.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev