fae8df3839
* Anonymous pkinit responses from the KDC where the name type is not well-known (as issued by 7.5 KDCs and earlier) are accepted by the client. There is no need for the client to strictly enforce the name type. * With historical_anon_pkinit = true, the kinit(1) client's "--anonymous" option only performs anon pkinit, and does not require an '@' prefix for the realm argument. * With historical_anon_realm = true, the KDC issues anon pkinit tickets with the legacy pre-7.0 "real" realm.
58 KiB
58 KiB