Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F2FC418812 for ; Mon, 23 Nov 2015 16:19:25 +0000 (UTC) Received: (qmail 68248 invoked by uid 500); 23 Nov 2015 16:19:25 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 68193 invoked by uid 500); 23 Nov 2015 16:19:25 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Delivered-To: moderator for dev@directory.apache.org Received: (qmail 456 invoked by uid 99); 23 Nov 2015 16:04:29 -0000 X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.446 X-Spam-Level: X-Spam-Status: No, score=0.446 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.554] autolearn=disabled Date: Mon, 23 Nov 2015 11:04:13 -0500 (EST) From: Steve Moyer Reply-To: Steve Moyer To: Apache Directory Developers List Message-ID: <1510465953.811037.1448294653684.JavaMail.zimbra@psu.edu> In-Reply-To: References: Subject: Re: [jira] [Updated] (DIRKRB-464) Correcting the principal name type for the TGS principal MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [173.163.165.206] X-Mailer: Zimbra 8.6.0_GA_1182 (ZimbraWebClient - FF44 (Linux)/8.6.0_GA_1182) Thread-Topic: (DIRKRB-464) Correcting the principal name type for the TGS principal Thread-Index: 3RVCZTfxwC33/kc+DQ2AW22WoQL40g== X-Virus-Scanned: by amavisd-new Actually, that value shouldn't be hard-coded because there are cases where = it needs to have a different value. Take a look at the MIT kinit packet (wi= th a -S argument) that I captured and attached to DIRKRB-440. The MIT knit= program with a -S option actually retrieves a TGT with an associated serve= r principal. This is different from what happens when a TGS is granted usi= ng a TGT. This is one of those cases we discussed in the thread with Emmanuel - the K= rbOption layer makes it tougher to handle both cases. It would be possible= to ad a KrbOption that specifies which NameType should be used with each r= equest, but that means the code will need to differentiate between the valu= es. And I'm not sure what sane default would be since it's normally a Name= Type(1) with a TGT request and a NameType(2) with a TGS request (from my ex= perience). I guess maybe if a S-Principal is specified, require that the S= -Principal-NameType also be provided? In the long run it might be easier to give the client a couple methods like= : 1) retrieveTgt(AsRequest) 2) retrieveTgs(AsRequest) and let the client user's code build the appropriate AsRequest. Hope this helps! Steve -- =E2=80=9CThe mark of the immature man is that he wants to die nobly for a c= ause, while the mark of the mature man is that he wants to live humbly for = one.=E2=80=9D - Wilhelm Stekel ----- Original Message ----- From: "Kai Zheng (JIRA)" To: dev@directory.apache.org Sent: Friday, November 20, 2015 7:21:11 PM Subject: [jira] [Updated] (DIRKRB-464) Correcting the principal name type f= or the TGS principal [ https://issues.apache.org/jira/browse/DIRKRB-464?page=3Dcom.atlassian.jir= a.plugin.system.issuetabpanels:all-tabpanel ] Kai Zheng updated DIRKRB-464: ----------------------------- Description: The correct name type should be KRB5_NT_SRV_INST (2), inst= ead of kRB5-NT-PRINCIPAL (1). The issue may not affect MIT Kerberos, but Wi= ndows Server 2008 R2 because the later insists on that. (was: The correct = name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-PRINCIPAL (1).= ) > Correcting the principal name type for the TGS principal > -------------------------------------------------------- > > Key: DIRKRB-464 > URL: https://issues.apache.org/jira/browse/DIRKRB-464 > Project: Directory Kerberos > Issue Type: Bug > Reporter: Kai Zheng > Assignee: Kai Zheng > > The correct name type should be KRB5_NT_SRV_INST (2), instead of kRB5-NT-= PRINCIPAL (1). The issue may not affect MIT Kerberos, but Windows Server 20= 08 R2 because the later insists on that. -- This message was sent by Atlassian JIRA (v6.3.4#6332)