From f652cf774b3b908f751190735dca78f0c674a281 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 25 Aug 2010 23:31:59 +0000 Subject: [PATCH] rd_req_decoded: clarify behavior in comment git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24257 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/rd_req_dec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 014002981..9bc7c42f9 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -44,7 +44,14 @@ * * server specifies the expected server's name for the ticket; if NULL, then * any server will be accepted if the key can be found, and the caller should - * verify that the principal is something it trusts. + * verify that the principal is something it trusts. With the exception of the + * kdb keytab, the ticket's server field need not match the name passed in for + * server. All that is required is that the ticket be encrypted with a key + * from the keytab associated with the specified server principal. This + * permits the KDC to have a set of aliases for the server without keeping + * this information consistent with the server. So, when server is non-null, + * the principal expected by the application needs to be consistent with the + * local keytab, but not with the informational name in the ticket. * * rcache specifies a replay detection cache used to store authenticators and * server names -- 2.26.2