Turning off hostname canonicalisation

Jeffrey Hutzelman jhutz at cmu.edu
Mon Sep 12 16:03:44 EDT 2005 


On Monday, September 12, 2005 03:24:08 PM -0400 Sam Hartman 
<hartmans at mit.edu> wrote:

>>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
>
>     Andrew> On Fri, 2005-09-09 at 21:00 -0400, Jeffrey Altman wrote:
>     >> Andrew Bartlett wrote:
>     >>
>     >> > How are MIT/Heimdal realms coping with windows clients, which
>     >> I presume > don't do such fqdn resolution.  Is the concept of
>     >> servicePrincipalName > spreading to cope, or are there just
>     >> multiple principals and keytab > entries being created?
>     >>
>     >> Currently, large numbers of principal names and keytab entries
>     >> are being created to deal with this issue.
>
>     Andrew> Likewise, is there any move to at least allow case
>     Andrew> insensitivity in principal names or keytab entries?  I
>     Andrew> know the Samba patch to allow this (in the member server,
>     Andrew> presumably for an AD KDC) is pretty ugly...
>
> We're going to do whatever the Kerberos working group ends up doing.
> I don't think anyone has proposed case insensitivity there although
> there has been a proposal to ask the KDC for a list of names by which
> the current service can be known.

The current Kerberos specification contains nothing which would prevent a 
KDC from allowing a service to be known by multiple "aliases", such that it 
will issue tickets for any of those aliases using the same key.  It is my 
understanding that this is essentially how AD SPN's work, and I'd be very 
happy to see a similar feature in other KDC's.

I would consider case-insensitive lookups of service principals in the KDB 
to be an example of such aliases, provided the ticket issued by the KDC 
uses the same case as the request.  Normally I would see little value in 
such functionality, as existing specifications do recommend case-folding of 
hostnames before they are used to construct service principal names. 
Nonetheless, if there are clients widely deployed which do not do this, it 
would seem useful for KDC's to have such a feature, and I do not believe it 
would be in conflict with the Kerberos spec.


As far as case-insensitive matching in keytab files goes, I don't think 
that's an issue for standardization at all.  The choice of what service 
principals to use is entirely up to the application protocol and its 
implementations.  I would be disappointed to see implementations in which 
case-insensitive matching of keytab entries could not be disabled.

-- Jeff

More information about the krbdev mailing list