Preliminary discussion: DB alias entries
Greg Hudson
ghudson at MIT.EDU
Tue Mar 10 23:33:11 EDT 2009
On Tue, 2009-03-10 at 21:26 -0500, Nicolas Williams wrote:
> On Tue, Mar 10, 2009 at 10:16:32PM -0400, Greg Hudson wrote:
> > For service principals I believe this level of support is sufficient as
> > is, because we don't canonicalize service principal names anyway. Does
> > that seem accurate?
>
> Yes. Has it been tested?
Just did that now. You can't actually add an alias with addprinc -x
dn=... because the addprinc LDAP code refuses to touch an already
kerberized entry, but if you add other principals to a service key by
hand with ldapmodify, you can get service tickets under the other names
and they will work against a keytab with the original name (using
sclient and sserver as test cases).
More information about the krbdev
mailing list