krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Nicolas Williams Nicolas.Williams at
Tue Apr 8 17:16:56 EDT 2003

On Tue, Apr 08, 2003 at 04:24:35PM -0400, Sam Hartman wrote:
> >>>>> "Paul" == Paul W Nelson <nelson at> writes:
>     Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
>     Paul> unavoidable?
> Yes.
> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
> You have the following incompatible use cases:
> 1) People who want reverse resolution to work so that clustering
>    works.  I.E. will return some A record that
>    you want to reverse resolve because it is some instance of

IIUC then I must say that (1) is highly undesirable.  Instead I think
the cluster hosts should all share the key for the cluster principal
(and the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL -> use-principal-requested-
by-the-initiator-if-we-have-a-keytab-entry for it feature).

> 2) People who have broken reverse DNS and who just want a forward lookup.
> 3) People who want no hostname canonicalization at all because they
>     actually want security.

I think KDC-side aliasing will take care of (2) and (3).



More information about the krbdev mailing list