Turning off hostname canonicalisation

Markus Moeller huaraz at moeller.plus.com
Sat Sep 10 09:00:43 EDT 2005

Sorry, I couldn't follow the whole discussion about canonicalisation. I have 
in my apps also issues with canoncalisation and like to understand if your 
discussion would help my too.Where does the canonicalisation take place in 
your case ? In my case the canonicalisation is done when calling 
gss_import_name with type GSS_C_NT_HOSTBASED_SERVICE  and the gss service 
service at hostname, but if  I use GSS_C_NULL_OID then I have to provide the 
correct Kerberos principal, as no canonicalisation is performed. So there is 
no need for a global krb5.conf flag or are there other places where 
canonicalisation is done inside the Kerberos code ?

The other issue I see in enterprise environments is the use of CNAMEs and 
Global Server Load Balancing for load balancing, disaster recovery or simple 
failover . In these cases canonicalisation is very useful since you wouldn't 
need to synchronise keytabs on different systems. (it may not be as secure, 
but you could mitigate the risk in other ways)

A-record host1.test.com

CNAME app.test.com   host1.test.com

If I now access app.test.com the canonicalisation gives me host1.name.com 
and I need a keytab of service/host1.test.com on host host1. In disaster 
case the CNAME changes to (GSLB would do this automatically)

CNAME app.test.com host2.test.com

and I need a keytab with service/host2.test.com on host2. Without 
canonicalisation I would need to create keytab for app.test.com and 
distribute to every system, which can be painful in a bigger environment. So 
I see a need to keep canonicalisation on a service by service case and not 
as a global switch.

Thank you

----- Original Message ----- 
From: "Andrew Bartlett" <abartlet at samba.org>
To: "Jeffrey Altman" <jaltman at mit.edu>
Cc: <heimdal-discuss at sics.se>; <krbdev at mit.edu>
Sent: Saturday, September 10, 2005 11:41 AM
Subject: Re: Turning off hostname canonicalisation

More information about the krbdev mailing list