Turning off hostname canonicalisation
Nicolas.Williams at sun.com
Mon Sep 12 17:24:41 EDT 2005
On Mon, Sep 12, 2005 at 04:03:44PM -0400, Jeffrey Hutzelman wrote:
> On Monday, September 12, 2005 03:24:08 PM -0400 Sam Hartman
> <hartmans at mit.edu> wrote:
> >>>>>>"Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
> > Andrew> On Fri, 2005-09-09 at 21:00 -0400, Jeffrey Altman wrote:
> > >> Andrew Bartlett wrote:
> > >>
> > >> > How are MIT/Heimdal realms coping with windows clients, which
> > >> I presume > don't do such fqdn resolution. Is the concept of
> > >> servicePrincipalName > spreading to cope, or are there just
> > >> multiple principals and keytab > entries being created?
> > >>
> > >> Currently, large numbers of principal names and keytab entries
> > >> are being created to deal with this issue.
> > Andrew> Likewise, is there any move to at least allow case
> > Andrew> insensitivity in principal names or keytab entries? I
> > Andrew> know the Samba patch to allow this (in the member server,
> > Andrew> presumably for an AD KDC) is pretty ugly...
> >We're going to do whatever the Kerberos working group ends up doing.
> >I don't think anyone has proposed case insensitivity there although
> >there has been a proposal to ask the KDC for a list of names by which
> >the current service can be known.
> The current Kerberos specification contains nothing which would prevent a
> KDC from allowing a service to be known by multiple "aliases", such that it
> will issue tickets for any of those aliases using the same key. It is my
> understanding that this is essentially how AD SPN's work, and I'd be very
> happy to see a similar feature in other KDC's.
> I would consider case-insensitive lookups of service principals in the KDB
> to be an example of such aliases, provided the ticket issued by the KDC
> uses the same case as the request. Normally I would see little value in
> such functionality, as existing specifications do recommend case-folding of
> hostnames before they are used to construct service principal names.
> Nonetheless, if there are clients widely deployed which do not do this, it
> would seem useful for KDC's to have such a feature, and I do not believe it
> would be in conflict with the Kerberos spec.
> As far as case-insensitive matching in keytab files goes, I don't think
> that's an issue for standardization at all. The choice of what service
> principals to use is entirely up to the application protocol and its
> implementations. I would be disappointed to see implementations in which
> case-insensitive matching of keytab entries could not be disabled.
The proposed set/change password version 2 protocol deals with principal
More information about the krbdev