ldap principal aliases

Luke Howard lukeh at padl.com
Sun Aug 30 03:18:23 EDT 2009


On 30/08/2009, at 2:38 AM, Greg Hudson wrote:

> On Sat, 2009-08-29 at 11:01 -0400, Chris wrote:
>> Are there any known scenarios where forcing canonicalization on the  
>> KDC
>> would be bad?
>
> I'm not aware of any--in fact, I couldn't tell you with confidence why
> our KDC is checking that flag for TGS requests without consultation  
> with
> others.  However, if you have old MIT Kerberos software on server
> machines (in the sense of a Kerberos application server), you may run
> into another problem:

In the TGS, the canonicalize flag is used only for determining whether  
to return referrals; in a normal service principal request, it has no  
bearing on the returned service name.

The behaviour for the AS is slightly different in respect of service  
names, in order to handle some Windows interoperability issues. In  
respect of client names, the canonicalize flag permits a different  
client name to be returned.

-- Luke



More information about the Kerberos mailing list