Preliminary discussion: DB alias entries

Greg Hudson ghudson at MIT.EDU
Tue Mar 10 23:33:11 EDT 2009

On Tue, 2009-03-10 at 21:26 -0500, Nicolas Williams wrote:
> On Tue, Mar 10, 2009 at 10:16:32PM -0400, Greg Hudson wrote:
> > For service principals I believe this level of support is sufficient as
> > is, because we don't canonicalize service principal names anyway.  Does
> > that seem accurate?
> Yes.  Has it been tested?

Just did that now.  You can't actually add an alias with addprinc -x
dn=... because the addprinc LDAP code refuses to touch an already
kerberized entry, but if you add other principals to a service key by
hand with ldapmodify, you can get service tickets under the other names
and they will work against a keytab with the original name (using
sclient and sserver as test cases).

More information about the krbdev mailing list