Ticket addresses w.r.t. forwarded tickets.
Andrew Bartlett
abartlet at samba.org
Thu Dec 1 18:24:06 EST 2005
On Wed, 2005-11-30 at 19:05 -0500, Roland.Dowdeswell at MorganStanley.com
wrote:
> So, by default the MIT libs when asked to forward tickets to the remote
> end will decide whether to include addresses in the forwarded ticket by
> checking your current TGT and seeing whether it has addresses. And the
> addresses that the libs put in the forwarded ticket are determined via
> a DNS forward lookup of the remote end's hostname. I would like to
> have addressed TGTs while forwarding addressless tickets, so I've put
> together a tiny patch which defines a boolean in the [libdefaults]
> section of $KRB5_CONFIG to let me do this [below].
>
> What's the chance of including this in the main tree?
>
> (I'll elide the long discussion about why using DNS to determine what
> addresses the remote end might use to talk to the KDC is pretty much
> guaranteed to be incorrect for at least some of the hosts on a
> corporate network. The only reasonable strategy would be to ask the
> remote end what its addresses are, or something along those lines.)
For the same reason I added a similar option to lorikeet-heimdal (my
branch of Heimdal for use in Samba4) for exactly the same reasons. In
addition, we tend to find we are using netbios names, which makes DNS
doubly bogus.
I like your choice of name, but should this be a libdefaults or an
appdefaults issue? (no-addresses seems to be under appdefaults in
Heimdal).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20051202/c6eb5133/attachment.bin
More information about the krbdev
mailing list