From: Sam Hartman Date: Sat, 3 Jan 2009 23:20:31 +0000 (+0000) Subject: xrealm_non_transitive not trust_non_transitive X-Git-Tag: krb5-1.7-alpha1~115 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5bfe3caf46dcc046b66066421ee0a9e9fbc076e3;p=krb5.git xrealm_non_transitive not trust_non_transitive Kerberos does not imply trust in the existence of a cross-realm key. Trust is implied when a foreign principal is placed on an ACL: the remote realm is trusted to authenticate that principal and is trusted not to confuse one principal with another. Keep terminology consistent. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21693 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index d7f00fbcb..0a2cc9c01 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -39,8 +39,8 @@ #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000 /* Private flag used to indicate principal is local TGS */ #define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000 -/* Private flag used to indicate trust is non-transitive */ -#define KRB5_KDB_TRUST_NON_TRANSITIVE 0x02000000 +/* Private flag used to indicate xrealm relationship is non-transitive */ +#define KRB5_KDB_xrealm_NON_TRANSITIVE 0x02000000 /* Entry get flags */ /* Name canonicalization requested */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a3628cf91..0caf8a592 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2197,12 +2197,12 @@ validate_transit_path(krb5_context context, krb5_db_entry *krbtgt) { /* Incoming */ - if (isflagset(server->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE)) { + if (isflagset(server->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE)) { return KRB5KDC_ERR_PATH_NOT_ACCEPTED; } /* Outgoing */ - if (isflagset(krbtgt->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE) && + if (isflagset(krbtgt->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE) && (!krb5_principal_compare(context, server->princ, krbtgt->princ) || !krb5_realm_compare(context, client, krbtgt->princ))) { return KRB5KDC_ERR_PATH_NOT_ACCEPTED;