From 2bbc0fced5423a0dbfdf5a1b55380196676d05ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 30 Jan 2004 10:17:58 +0000
Subject: [PATCH] some text about order of [capaths] realms

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13299 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 doc/setup.texi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/setup.texi b/doc/setup.texi
index b17461f3f..4e9b2522f 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -619,6 +619,15 @@ realm with @code{SU.SE} they need to use both @code{SU.SE} and
 @end cartouche
 @end example
 
+The order of the @code{PERMITTED-CROSS-REALMS} is not important when
+doing transit cross realm verification.
+
+But the order is important when the @code{[capaths]} section is used
+to figure out the intermediate realm to go to when doing multi realm
+transit. When figuring out the next realm, the first realm of the list
+of @code{PERMITTED-CROSS-REALMS} is chosen. This is done in both the
+client kerberos library and the KDC.
+
 @c To test the cross realm configuration, use:
 @c    kmumble transit-check client server transit-realms ...