Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input
Sam Hartman
hartmans at MIT.EDU
Fri Oct 14 14:28:01 EDT 2011
>>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
Tom> Greg Hudson <ghudson at MIT.EDU> writes:
>> I'm not really opposed to this, although one could argue that
>> host/foo.searchdomain is a better guess than host/foo in the
>> absence of DNS (when foo contains no dots). But that assumes we
>> can find out the search domain (which might be easier than we
>> used to think, but we don't have a facility for it at the moment)
>> and begs the question of what happens when there are multiple
>> search domains.
Tom> Is there any way to securely deal with multiple search domains?
No, RFC 4120 tells you not to deal with multiple search domains.
More information about the krbdev
mailing list