ldap principal aliases

Chris lists at deksai.com
Tue Sep 22 10:13:48 EDT 2009

On Sat, Aug 29, 2009 at 11:01:19AM -0400, Chris wrote:
> On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote:
> > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote:
> > > [root at wopr ~]# kvno host/sf9ca98.domain.com
> > > host/sf9ca98.domain.com at DOMAIN.COM: kvno = 7
> > > [root at wopr ~]# kvno host/ns4.domain.com
> > > host/ns4.domain.com at DOMAIN.COM: Server not found in Kerberos
> > > database while getting credentials
> > 
> > I just tried a simple test like this myself and it worked for me.
> > 
> > However, I noted that success in the latter case depends on the client
> > setting KDC_OPT_CANONICALIZE in the TGS request.  The client sets this
> > bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior.  So if
> > you're trying to get aliases to work for older versions of the client
> > library, that's going to be an issue.
> > 
> > 
On Sat, Aug 29, 2009 at 08:38:21PM -0400, Greg Hudson wrote:
> Let's say host/aliasname is an alias for host/realname.  The client
> performs a TGS request for host/aliasname service tickets, and gets a
> host/aliasname service ticket encrypted in the key for host/realname.
> Now the client presents this ticket to the server in an AP request,
> saying it wants to authenticate to host/aliasname.
> * With krb5 1.7.x, krb5_rd_req will ignore the stated target of the AP
> request and look for any key in the keytab which can decode the
> presented ticket.  It will find the host/realname key and succeed.
> * With krb5 1.6.x and prior, the krb5_rd_req will look specifically for
> a host/aliasname key in the keytab, and will fail if the keytab contains
> only a host/realname entry.

I realize that this thread is pretty old, but I figured I'd update this for the
sake of posterity.  I tried several nice ways to get what I needed.  I ended
up just getting hacky and rolled a "Frankenkerberos" package for our servers.
It basically patches 1.7 to export an old symbol, keeps some old krb4 related
library files if needed to not break linkage for old binaries (we don't use
that functionality at all), and updates everything else to 1.7.  

I've tested it out on a couple hundred servers short of a month, and haven't
had any noticeable problems yet.  The new behavior in 1.7 has been very nice


More information about the Kerberos mailing list