FQDN needed by sasl_gss_client_step or gss_import_name?

Fri May 17 14:48:02 EDT 2002

What kinds of DNS server are you using?  If it is win2k DNS, you should 
be ok. If it is NT4 DNS, you're in trouble. also tweak your 
/etc/krb5.conf or krb5.ini on win32 and your resolv.conf file.

-peter huang

Dave Snoopy wrote:

> I don't know too much about this, but perhaps I should
> mention that when my ldap client gave its error, it
> hadn't yet done anything with the KDC/PDC besides
> requesting the supported SASL types (I did a network
> trace on all ports with my KDC/PDC). In other words,
> this was a totally internal Kerberos error, and not a
> problem with it finding a host on the network.
> 
> Just wanted to make that clear. It doesn't impact your
> conversation, but could it mean that my problem may be
> of a different nature? My IT manager is not about to
> change his DNS entries for me. Does this mean that
> I'll have to edit the Kerberos code somehow to make it
> do what I need?
> 
> Thanks,
> Dave
> 
> 
> --- Nicolas Williams <Nicolas.Williams at ubsw.com>
> wrote:
> 
>>On Thu, May 16, 2002 at 08:19:14PM -0500, Jacques A.
>>Vidrine wrote:
>>
>>>On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence
>>>
>>Greenfield wrote:
>>
>>>>Hopefully the Kerberos clarifications in the
>>>>
>>krb-wg will address this
>>
>>>>issue and MIT will change their implementation..
>>>>
>>>Change it how?
>>>
>>At the interim KRB-WG meeting there was a discussion
>>about this.
>>
>>Here's some possibilities, tell me which you prefer
>>:)
>>
>> - don't canonicalize, expect the user to know the
>>canonical name
>> - secure DNS (yeah...)
>> - don't canonicalize, spontaneously alias
>>principals at the KDC
>>
>>That last one means that when I use a
>>non-fully-qualified hostname or an
>>alias of a hostname as a or part of a service
>>principal name, then the
>>KDC will issue the requested ticket IFF the KDC can
>>determine that the
>>requested name is indeed an alias of some other SPN.
>>The application too
>>must know its aliases or try its keys for all SPNs
>>by which a client
>>references it.
>>
>>IIRC MS does just that.
>>
>>That is what I propose MIT, Heimdal et. al. do.
>>
>>From a user's perspective it works just like before,
>>only more securely,
>>though transparency depends on the KDC being able to
>>determine which
>>host the client really means, or, rather, what that
>>name would resolve
>>to from the client's point of view.
>>
>>Cheers,
>>
>>Nico
>>-- 
>>-DISCLAIMER: an automatically appended disclaimer
>>may follow. By posting-
>>-to a public e-mail mailing list I hereby grant
>>permission to distribute-
>>-and copy this message.-
>>
>>Visit our website at http://www.ubswarburg.com
>>
>>This message contains confidential information and
>>is intended only 
>>for the individual named.  If you are not the named
>>addressee you 
>>should not disseminate, distribute or copy this
>>e-mail.  Please 
>>notify the sender immediately by e-mail if you have
>>received this 
>>e-mail by mistake and delete this e-mail from your
>>system.
>>
>>E-mail transmission cannot be guaranteed to be
>>secure or error-free 
>>as information could be intercepted, corrupted,
>>lost, destroyed, 
>>arrive late or incomplete, or contain viruses.  The
>>sender therefore 
>>does not accept liability for any errors or
>>omissions in the contents 
>>of this message which arise as a result of e-mail
>>transmission.  If 
>>verification is required please request a hard-copy
>>version.  This 
>>message is provided for informational purposes and
>>should not be 
>>construed as a solicitation or offer to buy or sell
>>any securities or 
>>related financial instruments.
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>http://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> __________________________________________________
> Do You Yahoo!?
> LAUNCH - Your Yahoo! Music Experience
> http://launch.yahoo.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 