Turning off hostname canonicalisation
Jeffrey Altman
jaltman at MIT.EDU
Tue Sep 13 14:53:01 EDT 2005
Ken Hornstein wrote:
>>So I'd like to understand why folks are using [appdefaults]. Sun's
>>need is fairly straightforward: "we had it before and can't de-
>>support it". But how are sites actually using this feature?
>
>
> Fair enough.
>
> Some background:
>From my perspective there is only one question that needs to be answered
in this discussion, are there settings that are being enforced on the
application by the Kerberos 5 libraries. As far as I am aware, except
for 'login' all of the other [appdefault] settings you are using are
enforced by the application process explicitly reading data from the
profile. There are no settings where the library says "oh the process
is 'telnet' therefore disable forwarding". As such I don't think that
the discussion matters to us as Kerberos library implementors as it
does not affect the design of our libraries.
Ken has choosen to treat the krb5.conf file as the configuration file
for applications he bundles with Kerberos. The choice of options that
he uses are a site local issue provided that they do not conflict with
the namespace used by the Kerberos libraries. I believe that all we
need to do is document (whenever we get around to documenting anything)
that [appdefault] is an unmanaged name space that does not impact the
behavior of the Kerberos libraries when used by applications.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050913/25eb13b4/attachment.bin
More information about the krbdev
mailing list