Realmname missing in SPN
Greg Hudson
ghudson at MIT.EDU
Thu Mar 27 00:09:04 EDT 2014
On 03/26/2014 02:57 PM, Arpit Srivastava wrote:
> I am using krb5_sname_to_principal() api to generate HTTP/
> home.example.com at EXAMPLE.COM format SPN from HTTP at home.example.com format.
> krb5_sname_to_principal() returns a principal which when I parsed, I got
> something like HTTP/home.example.com at . Realname EXAMPLE.COM is missing here.
Since version 1.6, krb5_sname_to_principal will return an empty realm if
it cannot determine the realm from the krb5.conf [domain_realm] section.
The intent is that, if the principal is used as the server principal
for a TGS request (via krb5_get_credentials or gss_init_sec_context),
the local KDC will be given a chance to make a referral to another realm.
If the principal is being used for another purpose, then the caller is
responsible for filling in the realm if it is empty. The caller can use
krb5_get_fallback_host_realm to apply domain-based and DNS-based
heuristics, or it can get the default realm with krb5_get_default_realm
and use that. krb5_set_principal_realm can be used to conveniently set
the principal's realm once one is chosen.
More information about the Kerberos
mailing list