From b72aef2c1cbcc76f7fba14ddc54a4e66e7a4e66c Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 28 Sep 2011 17:03:15 +0000
Subject: Eliminate domain-based client realm walk

For a very long time, KDCs have known how to perform a domain-based
realm walk when serving requests for TGTs.  (So if a KDC for A.B.C
receives a request for krbtgt/X.B.C and doesn't have that principal,
it can return one for krbtgt/B.C instead.)  Performing the same
heuristic on the client is unnecessary and inefficient in common
cases.

Add a new function k5_client_realm_path to walk_rtree.c which uses
capaths values only, and returns a list of realms (as desired by
get_creds.c) instead of TGT names.

ticket: 6966

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25241 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/k5-int.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/include')

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0bb4c164d0..1682a345b9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2628,6 +2628,10 @@ krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
                                      const krb5_data *, krb5_principal **,
                                      int);
 
+krb5_error_code
+k5_client_realm_path(krb5_context context, const krb5_data *client,
+                     const krb5_data *server, krb5_data **rpath_out);
+
 krb5_error_code
 krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
                                  krb5_cksumtype);
-- 
cgit