Kerberos does not imply trust in the existence of a cross-realm key.
Trust is implied when a foreign principal is placed on an ACL: the remote realm
is trusted to authenticate that principal and is trusted
not to confuse one principal with another.
Keep terminology consistent.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21693
dc483132-0cff-0310-8789-
dd5450dbe970
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
/* Private flag used to indicate principal is local TGS */
#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000
-/* Private flag used to indicate trust is non-transitive */
-#define KRB5_KDB_TRUST_NON_TRANSITIVE 0x02000000
+/* Private flag used to indicate xrealm relationship is non-transitive */
+#define KRB5_KDB_xrealm_NON_TRANSITIVE 0x02000000
/* Entry get flags */
/* Name canonicalization requested */
krb5_db_entry *krbtgt)
{
/* Incoming */
- if (isflagset(server->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE)) {
+ if (isflagset(server->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE)) {
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
}
/* Outgoing */
- if (isflagset(krbtgt->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE) &&
+ if (isflagset(krbtgt->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE) &&
(!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
!krb5_realm_compare(context, client, krbtgt->princ))) {
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;