Turning off hostname canonicalisation

Nicolas Williams Nicolas.Williams at sun.com
Mon Sep 12 17:24:41 EDT 2005 

On Mon, Sep 12, 2005 at 04:03:44PM -0400, Jeffrey Hutzelman wrote:
> 
> 
> On Monday, September 12, 2005 03:24:08 PM -0400 Sam Hartman 
> <hartmans at mit.edu> wrote:
> 
> >>>>>>"Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
> >
> >    Andrew> On Fri, 2005-09-09 at 21:00 -0400, Jeffrey Altman wrote:
> >    >> Andrew Bartlett wrote:
> >    >>
> >    >> > How are MIT/Heimdal realms coping with windows clients, which
> >    >> I presume > don't do such fqdn resolution.  Is the concept of
> >    >> servicePrincipalName > spreading to cope, or are there just
> >    >> multiple principals and keytab > entries being created?
> >    >>
> >    >> Currently, large numbers of principal names and keytab entries
> >    >> are being created to deal with this issue.
> >
> >    Andrew> Likewise, is there any move to at least allow case
> >    Andrew> insensitivity in principal names or keytab entries?  I
> >    Andrew> know the Samba patch to allow this (in the member server,
> >    Andrew> presumably for an AD KDC) is pretty ugly...
> >
> >We're going to do whatever the Kerberos working group ends up doing.
> >I don't think anyone has proposed case insensitivity there although
> >there has been a proposal to ask the KDC for a list of names by which
> >the current service can be known.
> 
> The current Kerberos specification contains nothing which would prevent a 
> KDC from allowing a service to be known by multiple "aliases", such that it 
> will issue tickets for any of those aliases using the same key.  It is my 
> understanding that this is essentially how AD SPN's work, and I'd be very 
> happy to see a similar feature in other KDC's.
> 
> I would consider case-insensitive lookups of service principals in the KDB 
> to be an example of such aliases, provided the ticket issued by the KDC 
> uses the same case as the request.  Normally I would see little value in 
> such functionality, as existing specifications do recommend case-folding of 
> hostnames before they are used to construct service principal names. 
> Nonetheless, if there are clients widely deployed which do not do this, it 
> would seem useful for KDC's to have such a feature, and I do not believe it 
> would be in conflict with the Kerberos spec.
> 
> 
> As far as case-insensitive matching in keytab files goes, I don't think 
> that's an issue for standardization at all.  The choice of what service 
> principals to use is entirely up to the application protocol and its 
> implementations.  I would be disappointed to see implementations in which 
> case-insensitive matching of keytab entries could not be disabled.

The proposed set/change password version 2 protocol deals with principal
aliasing...

Nico
--

More information about the krbdev mailing list