On 01/08/2016 06:59 PM, Rick van Rein wrote:
> kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
> this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
> care in practice? (The spec does not, but how about implementations?)
I don't think any implementations care; ours certainly does not. But I
agree that a name_type of 2 would be more appropriate.
> principals contains a single GeneralString holding ${ENV::CLIENT} —
> AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?
Yes; the config section has to be modified to handle a two-component
principal name.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
