On 03/07/2014 05:17 PM, Edgecombe, Jason wrote: > I don't see how anyone can object to rejecting requests for expired or > deleted principals.
I don't think anyone has. In the past I have mentioned performance as a possible issue, but it turns out we have been looking up the client entry for most TGS requests since 1.7, so that's not a concern. The change may not be a trivial one to make safely, because there are so many edge cases in modern TGS request processing. Be aware that: * We cannot generally do these checks for cross-realm TGS requests. * The KDC cannot revoke already-issued service tickets. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
