On Tue, Oct 09, 2012 at 12:41:43PM +0200, Ondrej Kos wrote:
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index f4fd1cb73941e23d8e39d234bf8fd2ae8ae54554..4d5062ba450203ba6c8722e8b178d7a3a7f5a70b
100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -231,7 +231,14 @@
<term>krb5_validate (boolean)</term>
<listitem>
<para>
Some parts of the paragraph don't sound like proper English to me. Can
you check them with some native English speaker before I push them. In
particular:
- Verify with the help of krb5_keytab that
the TGT obtained has not been spoofed.
+ Verify with the help of krb5_keytab that the TGT
+ obtained has not been spoofed. The keytab is checked for
+ entries from top to bottom, and the first entry with
matching
what about "checked for entries sequentially" ?
+ realm is used for validation. If
there's no entry with
+ corresponding realm found in the keytab, the last one is
used.
"If no entry matches, the last one is used" ?
+ This can be utilized to achieve
validation in enviroments
+ with cross-realm trust by placing appropriate keytab entry
+ as the last one or the only one.
</para>
<para>
Default: false