ldap principal aliases
Greg Hudson
ghudson at MIT.EDU
Fri Aug 28 13:08:47 EDT 2009
On Thu, 2009-08-27 at 19:46 -0400, Chris wrote:
> This is how I am trying use this, and it doesn't seem to be working. I
> can use the same queries I see going to the LDAP server manually as the
> KDC user, and they return the correct record, but the KDC always says it
> cannot find the service principal if I use an alias. I see a spot in
> the code that will set the principal name if it sees both
> krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I
> think I read in the docs, this is supposed to be on for service
> principals by default.
How are you doing your test queries? (For instance, if you're using
command line tools, what commands are you using?) In general, the
expected behavior as I understand it is:
kinit realname --> tgt
kinit aliasname --> not-found error
kinit -C aliasname --> tgt for realname
kinit user; kvno realname --> service ticket for realname
kinit user; kvno aliasname --> service ticket for realname (presented
as ticket for aliasname because we can't change the service name in a
TGS response)
But there's always the possibility of bugs.
More information about the Kerberos
mailing list