Turning off hostname canonicalisation

Jeffrey Altman jaltman at MIT.EDU
Fri Sep 9 20:10:25 EDT 2005


MIT has already implemented this functionality.
We added

  rdns = {no, yes}

It currently defaults to "on" but can be turned off in the profile.

Jeffrey Altman

Andrew Bartlett wrote:
> As part of our effort to get kerberos working really well in Samba4, I'm
> interested to turn off hostname canonicalisation, because it isn't
> required in AD realms, it doesn't make much sense anyway for netbios
> names and DNS is so often broken on real networks.
> Rather than just rip out the code (in our modified heimdal snapshot), I
> was looking at instead using a krb5.conf config option, and hoped that I
> might get some consensus as to how this should be done, between the two
> projects that share the /etc/krb5.conf file (and have done so very well,
> I get surprisingly little pain from this).
> I'm thinking along the lines of:
> [libdefaults] 
>  hostname_canonicalise = no
> This would prevent the krb5 libs doing hostname lookups to obtain a
> fully-qualified hostname.
> For compatibility I assume it would be 'yes' by default, but Samba would
> set it to no in the krb5_init_context routines.  
> Does this sound sane? 
> Andrew Bartlett
> ------------------------------------------------------------------------
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050909/729b8d9e/attachment.bin

More information about the krbdev mailing list