Turning off hostname canonicalisation
Jeffrey Altman
jaltman at MIT.EDU
Fri Sep 9 20:10:25 EDT 2005
Andrew:
MIT has already implemented this functionality.
We added
[libdefaults]
rdns = {no, yes}
It currently defaults to "on" but can be turned off in the profile.
Jeffrey Altman
Andrew Bartlett wrote:
> As part of our effort to get kerberos working really well in Samba4, I'm
> interested to turn off hostname canonicalisation, because it isn't
> required in AD realms, it doesn't make much sense anyway for netbios
> names and DNS is so often broken on real networks.
>
> Rather than just rip out the code (in our modified heimdal snapshot), I
> was looking at instead using a krb5.conf config option, and hoped that I
> might get some consensus as to how this should be done, between the two
> projects that share the /etc/krb5.conf file (and have done so very well,
> I get surprisingly little pain from this).
>
> I'm thinking along the lines of:
> [libdefaults]
> hostname_canonicalise = no
>
> This would prevent the krb5 libs doing hostname lookups to obtain a
> fully-qualified hostname.
>
> For compatibility I assume it would be 'yes' by default, but Samba would
> set it to no in the krb5_init_context routines.
>
> Does this sound sane?
>
> Andrew Bartlett
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050909/729b8d9e/attachment.bin
More information about the krbdev
mailing list