Turning off hostname canonicalisation
abartlet at samba.org
Sat Sep 10 01:12:12 EDT 2005
On Fri, 2005-09-09 at 23:54 -0400, Jeffrey Hutzelman wrote:
> On Friday, September 09, 2005 21:00:52 -0400 Jeffrey Altman
> <jaltman at mit.edu> wrote:
> > Andrew Bartlett wrote:
> >> How are MIT/Heimdal realms coping with windows clients, which I presume
> >> don't do such fqdn resolution. Is the concept of servicePrincipalName
> >> spreading to cope, or are there just multiple principals and keytab
> >> entries being created?
> > Currently, large numbers of principal names and keytab entries are being
> > created to deal with this issue.
> Someday, I'd love to see MIT and/or Heimdal add real principal name
> aliasing, which would allow better handling for this case than is currently
> possible. As to whether any of the implementors are likely to spend time
> on it, I don't know.
Samba4 already has this feature (naturally, given we are after AD
behaviour), but the more useful point I wanted to make is that I didn't
find it hard to add, particularly to an ldap-like backend (you just
search for one of any of the names on a record).
> I very much support the idea of a libdefaults setting to turn of DNS
> resolution entirely. Among other things, this would allow compliance with
> RFC4120 section 1.3, which says:
> Implementations of Kerberos and protocols based on Kerberos MUST NOT
> use insecure DNS queries to canonicalize the hostname components of
> the service principal names (i.e., they MUST NOT use insecure DNS
> queries to map one name to another to determine the host part of the
> principal name with which one is to communicate).
> However, I object to the name proposed by Andrew, on the grounds that a
> significant portion of users are likely to misspell it, due to a systematic
> difference in spelling between British and American English (In American
> English, we spell -ize with a 'z').
> Since a misspelling would result in unintended and potentially insecure
> behavior (depending on which setting is the default) and would not trigger
> an error message, let's pick a name which does not have this problem.
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050910/60a8fbd8/attachment.bin
More information about the krbdev