directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Moyer <smo...@psu.edu>
Subject Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal
Date Mon, 23 Nov 2015 16:04:13 GMT
Actually, that value shouldn't be hard-coded because there are cases where it needs to have
a different value. Take a look at the MIT kinit packet (with a -S argument) that I captured
and attached to DIRKRB-440.  The MIT knit program with a -S option actually retrieves a TGT
with an associated server principal.  This is different from what happens when a TGS is granted
using a TGT.

This is one of those cases we discussed in the thread with Emmanuel - the KrbOption layer
makes it tougher to handle both cases.  It would be possible to ad a KrbOption that specifies
which NameType should be used with each request, but that means the code will need to differentiate
between the values.  And I'm not sure what sane default would be since it's normally a NameType(1)
with a TGT request and a NameType(2) with a TGS request (from my experience).  I guess maybe
if a S-Principal is specified, require that the S-Principal-NameType also be provided?

In the long run it might be easier to give the client a couple methods like:

1)  retrieveTgt(AsRequest)
2)  retrieveTgs(AsRequest)

and let the client user's code build the appropriate AsRequest.

Hope this helps!

Steve

--

“The mark of the immature man is that he wants to die nobly for a cause, while the mark
of the mature man is that he wants to live humbly for one.” - Wilhelm Stekel

----- Original Message -----
From: "Kai Zheng (JIRA)" <jira@apache.org>
To: dev@directory.apache.org
Sent: Friday, November 20, 2015 7:21:11 PM
Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal

[ https://issues.apache.org/jira/browse/DIRKRB-464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kai Zheng updated DIRKRB-464:
-----------------------------
    Description: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL
(1). The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists
on that.  (was: The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL
(1).)

> Correcting the principal name type for the TGS principal
> --------------------------------------------------------
>
>                 Key: DIRKRB-464
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-464
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>
> The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).
The issue may not affect MIT Kerberos, but Windows Server 2008 R2 because the later insists
on that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message