ldap principal aliases

Greg Hudson ghudson at MIT.EDU
Fri Aug 28 13:08:47 EDT 2009


On Thu, 2009-08-27 at 19:46 -0400, Chris wrote:
> This is how I am trying use this, and it doesn't seem to be working.  I
> can use the same queries I see going to the LDAP server manually as the
> KDC user, and they return the correct record, but the KDC always says it
> cannot find the service principal if I use an alias.  I see a spot in
> the code that will set the principal name if it sees both
> krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag.  From what I
> think I read in the docs, this is supposed to be on for service
> principals by default.

How are you doing your test queries?  (For instance, if you're using
command line tools, what commands are you using?)  In general, the
expected behavior as I understand it is:

  kinit realname --> tgt
  kinit aliasname --> not-found error
  kinit -C aliasname --> tgt for realname
  kinit user; kvno realname --> service ticket for realname
  kinit user; kvno aliasname --> service ticket for realname (presented
as ticket for aliasname because we can't change the service name in a
TGS response)

But there's always the possibility of bugs.





More information about the Kerberos mailing list