krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Sam Hartman
hartmans at MIT.EDU
Tue Apr 8 16:24:35 EDT 2003
>>>>> "Paul" == Paul W Nelson <nelson at thursby.com> writes:
Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
Paul> unavoidable?
Yes.
The krb5 hostname handling is a real mess and I'm not really sure what
to do to clean it up.
You have the following incompatible use cases:
1) People who want reverse resolution to work so that clustering
works. I.E. dialup.university.edu will return some A record that
you want to reverse resolve because it is some instance of
dialup.university.edu.
2) People who have broken reverse DNS and who just want a forward lookup.
3) People who want no hostname canonicalization at all because they
actually want security.
Suggestions on how we can improve the mess greatly appreciated.
More information about the krbdev
mailing list