[15616] in Kerberos_V5_Development
Re: Is this TGS-REP legal now?
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Mar 18 11:31:27 2010
To: Sam Hartman <hartmans@mit.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 18 Mar 2010 11:31:07 -0400
In-Reply-To: <tsly6hpznn3.fsf@mit.edu> (Sam Hartman's message of "Thu,
18 Mar 2010 10:54:08 -0400")
Message-ID: <ldvtysdd4uc.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Sam Hartman <hartmans@MIT.EDU> writes:
>>>>>> "Weijun" == Weijun Wang <Weijun.Wang@sun.com> writes:
>
> Weijun> How do I interpret "the only case" below? It sounds like KDC
> Weijun> should only return a referral if the request is for a TGT.
>
> That's correct: RFC 4120 only permits referrals for TGTs.
>
> Modern Kerberos uses the canonicalize flag to permit referrals in other
> situations.
The request was asking for a non-TGS service and getting a TGT in
reply, without having set the canonicalize flag, at least if I read it
correctly.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev