[krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Dec 24 02:27:03 EST 2015
It looks like we only use the fallback realm (which would include TXT
records) if we make a query to the client principal realm and get an
error. If we can't even make the query to the client realm, we give up.
We do have a hostrealm pluggable interface starting in 1.12, so in theory
you could write a hostrealm module which supplies the service principal
realm as an authoritative realm, perhaps using wildcard matching.
Deploying such a module to all of the clients may not be attractive,
depending on your environment.
More information about the krb5-bugs
mailing list