Kerberos canonicalization problem
Lorenzo Costanzia
lorenzo.costanzia at gmail.com
Fri Feb 13 06:23:41 EST 2009
Hi everybody,
I'm trying to set up a AFP server with (MIT) Kerberos authentication
and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
my home network (which uses a private .lan top level domain). The AFP
server works beautifully when connecting "directly" to it.
But when I try to connect to the AFP after discovery via dns-sd, the
client tries to fetch a
"afpserver/afp.lan. at MYREALM.LAN" ticket (note the trailing dot in the
SPN), which doesn't exist, so authentication fails. (This is btw the
correct behavior of dns-sd, which always gives back the more verbose
"form" of the hostname with trailing dot.)
Now I can't simply add "afpserver/afp.lan." principal, as the AFP
server accepts only one principal, and I want to be able to connect
both "directly" and via dns-sd.
However, when the client connects to the KDC asking for that
nonexistent service principal, the "canonicalization" flag is set, but
the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
Now is there a way to activate kdc-side canonicalization and/or setup a
static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?
Thanks in advance,
Lorenzo Costanzia
More information about the Kerberos
mailing list