diff options
author | Sam Hartman <hartmans@mit.edu> | 2010-08-25 23:31:59 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2010-08-25 23:31:59 +0000 |
commit | f652cf774b3b908f751190735dca78f0c674a281 (patch) | |
tree | 64ca3209f7789a2b954aee2a31a9c09f69df051d /src/lib/krb5/krb | |
parent | 99be0e73e3addded4ee2c0bfeaba2e19ad178fac (diff) | |
download | krb5-f652cf774b3b908f751190735dca78f0c674a281.tar.gz krb5-f652cf774b3b908f751190735dca78f0c674a281.tar.xz krb5-f652cf774b3b908f751190735dca78f0c674a281.zip |
rd_req_decoded: clarify behavior in comment
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24257 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb')
-rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 014002981b..9bc7c42f90 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -44,7 +44,14 @@ * * server specifies the expected server's name for the ticket; if NULL, then * any server will be accepted if the key can be found, and the caller should - * verify that the principal is something it trusts. + * verify that the principal is something it trusts. With the exception of the + * kdb keytab, the ticket's server field need not match the name passed in for + * server. All that is required is that the ticket be encrypted with a key + * from the keytab associated with the specified server principal. This + * permits the KDC to have a set of aliases for the server without keeping + * this information consistent with the server. So, when server is non-null, + * the principal expected by the application needs to be consistent with the + * local keytab, but not with the informational name in the ticket. * * rcache specifies a replay detection cache used to store authenticators and * server names |