[16580] in Kerberos_V5_Development
question about krb5_verify_init_creds() and verify_ap_req_nofail
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jan 10 18:32:03 2011
Date: Mon, 10 Jan 2011 17:31:20 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: MIT Kerberos Dev List <krbdev@mit.edu>
Message-ID: <20110110233120.GA2537@sun.com>
Mail-Followup-To: MIT Kerberos Dev List <krbdev@MIT.EDU>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I was looking at krb5_verify_init_creds() in
src/lib/krb5/krb/vfy_increds.c and comparing it to the Solaris variant,
<http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vfy_increds.c#67>,
and I'm confused in regards to the handling of the
KRB5_CONF_VERIFY_AP_REQ_NOFAIL ("verify_ap_req_nofail") option. What
confuses me is that the MIT code (and Solaris to a lesser degree) does a
number of things that could cause krb5_verify_init_creds() to return an
error before checking the setting of KRB5_CONF_VERIFY_AP_REQ_NOFAIL and
I'm wondering if this is correct. Basically shouldn't
verify_ap_req_nofail be checked first and if it is false just return 0?
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
