Turning off hostname canonicalisation

Andrew Bartlett abartlet at samba.org
Fri Sep 9 19:50:27 EDT 2005

As part of our effort to get kerberos working really well in Samba4, I'm
interested to turn off hostname canonicalisation, because it isn't
required in AD realms, it doesn't make much sense anyway for netbios
names and DNS is so often broken on real networks.

Rather than just rip out the code (in our modified heimdal snapshot), I
was looking at instead using a krb5.conf config option, and hoped that I
might get some consensus as to how this should be done, between the two
projects that share the /etc/krb5.conf file (and have done so very well,
I get surprisingly little pain from this).

I'm thinking along the lines of:
 hostname_canonicalise = no

This would prevent the krb5 libs doing hostname lookups to obtain a
fully-qualified hostname.

For compatibility I assume it would be 'yes' by default, but Samba would
set it to no in the krb5_init_context routines.  

Does this sound sane? 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050910/81ece51c/attachment.bin

More information about the krbdev mailing list