Turning off hostname canonicalisation

Jeffrey Altman jaltman at MIT.EDU
Fri Sep 9 20:34:13 EDT 2005 

Ken Raeburn wrote:
> On Sep 9, 2005, at 20:10, Jeffrey Altman wrote:
> 
>> MIT has already implemented this functionality.
>> We added
>>
>> [libdefaults]
>>   rdns = {no, yes}
>>
>> It currently defaults to "on" but can be turned off in the profile.
> 
> 
> No, this is different functionality.
> 
> MIT's current code does basically this:
> 
>   1) get hostname from user/app
>   2) call getaddrinfo on hostname
>   3) pull out ai_canonname, the canonical name, if non-null
>   4) if rdns=yes:
>     a) call getnameinfo(NI_NAMEREQD) on first address
>     b) if successful, use returned name
> 
> What Andrew's proposing basically cuts this off after step 1.  The  user
> provides a name, we drop it into a principal and send it off to  the KDC.
> 
> It sounds like a good thing, except ... if a host is being a Samba 
> client, does that mean it's talking to the AD for all its Kerberos 
> communication?  It won't be talking to, say, an MIT KDC that expects 
> fully qualified canonical name to be used in the principal name?  
> Changing /etc/krb5.conf will affect all Kerberos applications on the 
> machine; if that's not the right result, then Samba would need its  own
> config file, or we should use a different way to switch it off.
> 
> BTW, Andrew's original message seems to conflate "canonical" and  "fully
> qualified" names.  A name can be fully qualified without being 
> canonical.  I assumed from his description that he wants any sort of 
> name lookup and transformation shut off....
> 
> Ken


You are correct.  The "rdns" addition we made allows the configuration
to disable the worst of the hacks.

I agree that we should have the ability to disable this after step 1
as well.   There is a need for an application to be able to state
explicitly what the hostname should be.  Especially in the Windows world
which often relies on the first component of the hostname as obtained
via a Netbios lookup not a DNS lookup.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050909/c32fbe33/attachment.bin

More information about the krbdev mailing list