[EMAIL PROTECTED] (Steve Langasek) writes:
>> It would be nice to not have to configure an explicit capath, of course.
>>
>> Still, I gather from your comments that after configuring the shared keys
>> this should Just Work. Since it did not, I'm lead to the same conclusion
>> that there's a bug at play here.
I think Doug may have misled you here, because this should require
configuration. Consider this case:
CUSTOMER.ISP.NET -> ISP.NET -> BANK.NET
[EMAIL PROTECTED] wants to authenticate to [EMAIL PROTECTED]
If BANK.NET permitted this to "Just Work", then the ISP could claim to
be me without my consent, because the ISP.NET kdc can issue a
[EMAIL PROTECTED] in my name. But you don't want this, because
there may not be a real trust relationship there. So, transitive
trust relationships need to be configured. IMHO, the default capath
through the root is also a bad idea, but since there has never been a
gTLD kerberos realm that I am aware of, and there is unlikely to be
one, it's a moot point in practice.
>> After thinking about it a bit, it seems I may just create cross-realm keys
>> for FOO.TWO.NET<->ONE.NET, as this maps better onto the real-world trust
>> relationships.
Then that is what you should do.
Marc
