Turning off hostname canonicalisation
Ken Raeburn
raeburn at MIT.EDU
Fri Sep 9 20:20:22 EDT 2005
On Sep 9, 2005, at 20:10, Jeffrey Altman wrote:
> MIT has already implemented this functionality.
> We added
>
> [libdefaults]
> rdns = {no, yes}
>
> It currently defaults to "on" but can be turned off in the profile.
No, this is different functionality.
MIT's current code does basically this:
1) get hostname from user/app
2) call getaddrinfo on hostname
3) pull out ai_canonname, the canonical name, if non-null
4) if rdns=yes:
a) call getnameinfo(NI_NAMEREQD) on first address
b) if successful, use returned name
What Andrew's proposing basically cuts this off after step 1. The
user provides a name, we drop it into a principal and send it off to
the KDC.
It sounds like a good thing, except ... if a host is being a Samba
client, does that mean it's talking to the AD for all its Kerberos
communication? It won't be talking to, say, an MIT KDC that expects
fully qualified canonical name to be used in the principal name?
Changing /etc/krb5.conf will affect all Kerberos applications on the
machine; if that's not the right result, then Samba would need its
own config file, or we should use a different way to switch it off.
BTW, Andrew's original message seems to conflate "canonical" and
"fully qualified" names. A name can be fully qualified without being
canonical. I assumed from his description that he wants any sort of
name lookup and transformation shut off....
Ken
More information about the krbdev
mailing list