Patch to ignore service principals when accepting connexions.
Roland C. Dowdeswell
elric at imrryr.org
Wed Aug 25 21:40:32 EDT 2010
On Wed, Aug 25, 2010 at 09:33:07PM -0400, Sam Hartman wrote:
>
> I definitely agree that the forward/reverse resolution creates issues
> for acquire_cred. There's a kind of annoying Debian bug open on this
> where the name you end up with depends on whether you have A records or
> just AAAA records. Also, as you point out it is a source of failure.
>
> So, I would like to express support for a configuration knob to ignore
> the hostname and to look into what we can do about acceptor-side use of
> DNS.
Is my proposed name ``check-service-instance'' reasonable or should
we settle on another name? The reason that I ask is that I'd like
to be able to roll out the patch in my organisation in the next
few weeks and I'd rather use the final name in our configurations
to make upgrades easier.
And, yes, the DNS and its use discussion is quite large. I'm
concerned about the use of DNS in general especially the effect
that it has on the validity of mutual authentication, robustness,
etc. This, however, is a more difficult topic and will take quite
a bit more thought.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list