[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Jul 14 09:09:15 EDT 2020
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8925
This is a comment. It is not sent to the Requestor(s):
Some ancillary wrinkles:
* krb5_sname_to_principal() allows :port suffixes (used by MSSQLSvc
principals), but the current fallback processing in get_creds.c does not.
* krb5_get_init_creds_keytab() iterates over the keytab to find the available
enctypes so it can put those first in the request, and errors out if it doesn't
find any. This operation does not substitute the default realm for the referral
realm like krb5_kt_get_entry() does.
* krb5_sname_to_principal() looks up the realm (in [domain_realm] or a
hostrealm plugin module) of the first expanded hostname candidate. The current
fallback processing does not repeat this lookup. If qualify_shortname is "",
the lookup is unlikely to succeed for the local hostname or a short hostname.
More information about the krb5-bugs
mailing list