Host Alias
yo timo
bacolod85 at yahoo.com
Thu Apr 3 09:26:38 EST 2003
Donn,
Thanks for the reply. I did some testing after I sent the message for help. I set nsswitch.conf to look at DNS first, added the "seach my.domain" statement to /etc/resolv.conf, used fullly qualified pricipals and told users to use the "host" part of the fully qualified names as an "alias." Works like a champ.
-bacolod
Donn Cave <donn at u.washington.edu> wrote:
| I have come across a usability issue where users of a network I plan
| to implement Kerberos on are currently accustomed to host aliases.
| i.e: typing 'ftp foo' instead of 'ftp foo.my.long.host.name.com.'
|
| Anyone have advice on how to get around using fully qualified hostnames
| for Kerberos host principals?
On the contrary, you certainly should use fully qualified hostnames
for Kerberos host principals. That also should work, that is, you
should be able to type 'ftp foo' and it should be automatically
expanded to the full domain name. If it isn't, the reason is likely
the short comes before the full name in /etc/hosts. The same is
true of "alias" names in the DNS CNAME sense, that they should just
work in current implementations (though perhaps not forever, if I
read the draft right.)
Donn Cave, donn at u.washington.edu
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and moreeFrom bacolod85 at yahoo.com Thu Apr 3 09:36:54 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h33Earjc028988
for <kerberos at PCH.mit.edu>; Thu, 3 Apr 2003 09:36:54 -0500 (EST)
Received: from web13309.mail.yahoo.com (web13309.mail.yahoo.com
[216.136.175.192])h33Eao2P021053
for <kerberos at mit.edu>; Thu, 3 Apr 2003 09:36:50 -0500 (EST)
Message-ID: <20030403143637.78428.qmail at web13309.mail.yahoo.com>
Received: from [216.181.29.186] by web13309.mail.yahoo.com via HTTP;
Thu, 03 Apr 2003 06:36:37 PST
Date: Thu, 3 Apr 2003 06:36:37 -0800 (PST)
From: yo timo <bacolod85 at yahoo.com>
To: kerberos at mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1
Subject: preauth
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 03 Apr 2003 14:36:54 -0000
If I set: 'default_principal_flags = +preauth' in kdc.conf thereby requireing preauth for all principals created thereafter will this interfere with host principals functionality in any way?
Thanks.
-bacolod
---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and moreeFrom hartmans at MIT.EDU Thu Apr 3 10:13:41 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h33FDfjc029091
for <kerberos at PCH.mit.edu>; Thu, 3 Apr 2003 10:13:41 -0500 (EST)
Received: from luminous.mit.edu (LUMINOUS.MIT.EDU [18.101.1.61])
h33FDe1h011544
for <kerberos at mit.edu>; Thu, 3 Apr 2003 10:13:40 -0500 (EST)
Received: by luminous.mit.edu (Postfix, from userid 1000)
id 3232476867; Thu, 3 Apr 2003 10:12:17 -0500 (EST)
To: yo timo <bacolod85 at yahoo.com>
References: <20030403143637.78428.qmail at web13309.mail.yahoo.com>
From: Sam Hartman <hartmans at MIT.EDU>
Date: Thu, 03 Apr 2003 10:12:16 -0500
In-Reply-To: <20030403143637.78428.qmail at web13309.mail.yahoo.com> (yo timo's
message of "Thu, 3 Apr 2003 06:36:37 -0800 (PST)")
Message-ID: <87el4jipin.fsf at luminous.mit.edu>
Lines: 15
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.1
(i386-debian-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos at mit.edu
Subject: Re: preauth
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 03 Apr 2003 15:13:41 -0000
>>>>> "yo" == yo timo <bacolod85 at yahoo.com> writes:
yo> If I set: 'default_principal_flags = +preauth' in kdc.conf
yo> thereby requireing preauth for all principals created
yo> thereafter will this interfere with host principals
yo> functionality in any way?
It should not under most circumstances.
It may create problems for existing client principals. The MIT code
has a dubious feature that preauth_required on a server principal
means that clients authenticating to that principal must be
preauthenticated. This may prevent previously existing client
principals from easily connecting to new services.
More information about the Kerberos
mailing list