xrealm_non_transitive not trust_non_transitive
authorSam Hartman <hartmans@mit.edu>
Sat, 3 Jan 2009 23:20:31 +0000 (23:20 +0000)
committerSam Hartman <hartmans@mit.edu>
Sat, 3 Jan 2009 23:20:31 +0000 (23:20 +0000)
Kerberos does not imply trust in the existence of a cross-realm key.
Trust is implied  when a foreign principal is placed on an ACL: the remote realm
is trusted to authenticate that principal and is trusted
not to confuse one principal with another.
Keep terminology consistent.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21693 dc483132-0cff-0310-8789-dd5450dbe970

src/include/kdb_ext.h
src/kdc/kdc_util.c

index d7f00fbcb326e12ce5e5a7aac4cbbc76bac39841..0a2cc9c019e19cc0e93b0197527b12b39147ebfe 100644 (file)
@@ -39,8 +39,8 @@
 #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
 /* Private flag used to indicate principal is local TGS */
 #define KRB5_KDB_TICKET_GRANTING_SERVICE       0x01000000
-/* Private flag used to indicate trust is non-transitive */
-#define KRB5_KDB_TRUST_NON_TRANSITIVE          0x02000000
+/* Private flag used to indicate xrealm relationship  is non-transitive */
+#define KRB5_KDB_xrealm_NON_TRANSITIVE         0x02000000
 
 /* Entry get flags */
 /* Name canonicalization requested */
index a3628cf91f2d56df05880636717b75a50dc53f49..0caf8a592889679c278591cf3280a610eafc199a 100644 (file)
@@ -2197,12 +2197,12 @@ validate_transit_path(krb5_context context,
                      krb5_db_entry *krbtgt)
 {
     /* Incoming */
-    if (isflagset(server->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE)) {
+    if (isflagset(server->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE)) {
        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
     }
 
     /* Outgoing */
-    if (isflagset(krbtgt->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE) &&
+    if (isflagset(krbtgt->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE) &&
        (!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
         !krb5_realm_compare(context, client, krbtgt->princ))) {
        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;