ldap principal aliases
Luke Howard
lukeh at padl.com
Sun Aug 30 03:18:23 EDT 2009
On 30/08/2009, at 2:38 AM, Greg Hudson wrote:
> On Sat, 2009-08-29 at 11:01 -0400, Chris wrote:
>> Are there any known scenarios where forcing canonicalization on the
>> KDC
>> would be bad?
>
> I'm not aware of any--in fact, I couldn't tell you with confidence why
> our KDC is checking that flag for TGS requests without consultation
> with
> others. However, if you have old MIT Kerberos software on server
> machines (in the sense of a Kerberos application server), you may run
> into another problem:
In the TGS, the canonicalize flag is used only for determining whether
to return referrals; in a normal service principal request, it has no
bearing on the returned service name.
The behaviour for the AS is slightly different in respect of service
names, in order to handle some Windows interoperability issues. In
respect of client names, the canonicalize flag permits a different
client name to be returned.
-- Luke
More information about the Kerberos
mailing list