Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input

Sam Hartman hartmans at MIT.EDU
Fri Oct 14 14:28:01 EDT 2011

>>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:

    Tom> Greg Hudson <ghudson at MIT.EDU> writes:
    >> I'm not really opposed to this, although one could argue that
    >> host/foo.searchdomain is a better guess than host/foo in the
    >> absence of DNS (when foo contains no dots).  But that assumes we
    >> can find out the search domain (which might be easier than we
    >> used to think, but we don't have a facility for it at the moment)
    >> and begs the question of what happens when there are multiple
    >> search domains.

    Tom> Is there any way to securely deal with multiple search domains?

No, RFC 4120 tells you not to deal with multiple search domains.

More information about the krbdev mailing list