krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Nicolas Williams
Nicolas.Williams at sun.com
Tue Apr 8 17:16:56 EDT 2003
On Tue, Apr 08, 2003 at 04:24:35PM -0400, Sam Hartman wrote:
> >>>>> "Paul" == Paul W Nelson <nelson at thursby.com> writes:
>
> Paul> Since krb5_mk_req calls krb5_sname_to_principal, is the call
> Paul> unavoidable?
>
> Yes.
>
> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
>
> You have the following incompatible use cases:
>
> 1) People who want reverse resolution to work so that clustering
> works. I.E. dialup.university.edu will return some A record that
> you want to reverse resolve because it is some instance of
> dialup.university.edu.
IIUC then I must say that (1) is highly undesirable. Instead I think
the cluster hosts should all share the key for the cluster principal
(and the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL -> use-principal-requested-
by-the-initiator-if-we-have-a-keytab-entry for it feature).
> 2) People who have broken reverse DNS and who just want a forward lookup.
>
> 3) People who want no hostname canonicalization at all because they
> actually want security.
I think KDC-side aliasing will take care of (2) and (3).
Cheers,
Nico
--
More information about the krbdev
mailing list