Turning off hostname canonicalisation

Andrew Bartlett abartlet at samba.org
Sat Sep 10 01:12:12 EDT 2005

On Fri, 2005-09-09 at 23:54 -0400, Jeffrey Hutzelman wrote:
> On Friday, September 09, 2005 21:00:52 -0400 Jeffrey Altman 
> <jaltman at mit.edu> wrote:
> > Andrew Bartlett wrote:
> >
> >> How are MIT/Heimdal realms coping with windows clients, which I presume
> >> don't do such fqdn resolution.  Is the concept of servicePrincipalName
> >> spreading to cope, or are there just multiple principals and keytab
> >> entries being created?
> >
> > Currently, large numbers of principal names and keytab entries are being
> > created to deal with this issue.
> Someday, I'd love to see MIT and/or Heimdal add real principal name 
> aliasing, which would allow better handling for this case than is currently 
> possible.  As to whether any of the implementors are likely to spend time 
> on it, I don't know.

Samba4 already has this feature (naturally, given we are after AD
behaviour), but the more useful point I wanted to make is that I didn't
find it hard to add, particularly to an ldap-like backend (you just
search for one of any of the names on a record).

> I very much support the idea of a libdefaults setting to turn of DNS 
> resolution entirely.  Among other things, this would allow compliance with 
> RFC4120 section 1.3, which says:
>    Implementations of Kerberos and protocols based on Kerberos MUST NOT
>    use insecure DNS queries to canonicalize the hostname components of
>    the service principal names (i.e., they MUST NOT use insecure DNS
>    queries to map one name to another to determine the host part of the
>    principal name with which one is to communicate).
> However, I object to the name proposed by Andrew, on the grounds that a 
> significant portion of users are likely to misspell it, due to a systematic 
> difference in spelling between British and American English (In American 
> English, we spell -ize with a 'z').
> Since a misspelling would result in unintended and potentially insecure 
> behavior (depending on which setting is the default) and would not trigger 
> an error message, let's pick a name which does not have this problem.



Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050910/60a8fbd8/attachment.bin

More information about the krbdev mailing list