Patch to ignore service principals when accepting connexions.
Simo Sorce
ssorce at redhat.com
Thu Aug 26 08:21:01 EDT 2010
On Wed, 25 Aug 2010 20:48:36 -0400
Sam Hartman <hartmans at MIT.EDU> wrote:
> How far along would a patch that simply made krb5_rd_req not care
> about the second component (hostname) of a principal go to address
> your needs? Do you need cases where the realm mismatches or where the
> application asked for nfs and you really want imap?
I know of at least one case CIFS file serving. CIFS clients may try to
use one of these 2 names for host foo.example.com:
foo$@EXAMPLE.COM and cifs/foo.example.com at EXAMPLE.COM
And I think it is not unheard of seeing
host/foo.example.com at EXAMPLE.COM too, the reason is that in AD each
machine has a truckload of aliases all applied to the same key
material...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list