ldap principal aliases
Chris
lists at deksai.com
Sat Aug 29 11:01:19 EDT 2009
Sorry, I just noticed that the list was dropped from the cc in last few replies.
On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote:
> On Fri, 2009-08-28 at 16:04 -0400, Chris wrote:
> > [root at wopr ~]# kvno host/sf9ca98.domain.com
> > host/sf9ca98.domain.com at DOMAIN.COM: kvno = 7
> > [root at wopr ~]# kvno host/ns4.domain.com
> > host/ns4.domain.com at DOMAIN.COM: Server not found in Kerberos
> > database while getting credentials
>
> I just tried a simple test like this myself and it worked for me.
>
> However, I noted that success in the latter case depends on the client
> setting KDC_OPT_CANONICALIZE in the TGS request. The client sets this
> bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior. So if
> you're trying to get aliases to work for older versions of the client
> library, that's going to be an issue.
>
>
Yep, sure enough. The version on wopr is pretty old.
Are there any known scenarios where forcing canonicalization on the KDC
would be bad? I was thinking about just removing the check for that
flag from our KDCs, since there are quite a few servers that have the
old libraries.
Chris
More information about the Kerberos
mailing list