krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Sam Hartman hartmans at MIT.EDU
Tue Apr 8 16:24:35 EDT 2003

>>>>> "Paul" == Paul W Nelson <nelson at> writes:

    Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
    Paul> unavoidable?


The krb5 hostname handling is a real mess and I'm not really sure what
to do to clean it up.

You have the following incompatible use cases:

1) People who want reverse resolution to work so that clustering
   works.  I.E. will return some A record that
   you want to reverse resolve because it is some instance of

2) People who have broken reverse DNS and who just want a forward lookup.

3) People who want no hostname canonicalization at all because they
    actually want security.

Suggestions on how we can improve the mess greatly appreciated.

More information about the krbdev mailing list