Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input
Sam Hartman
hartmans at MIT.EDU
Fri Oct 14 16:47:28 EDT 2011
>>>>> "Nico" == Nico Williams <nico at cryptonector.com> writes:
Nico> On Fri, Oct 14, 2011 at 1:21 PM, Tom Yu <tlyu at mit.edu> wrote:
>> Greg Hudson <ghudson at MIT.EDU> writes:
>>> I'm not really opposed to this, although one could argue that
>>> host/foo.searchdomain is a better guess than host/foo in the
>>> absence of DNS (when foo contains no dots). Â But that
>>> assumes we can find out the search domain (which might be easier
>>> than we used to think, but we don't have a facility for it at
>>> the moment) and begs the question of what happens when there are
>>> multiple search domains.
Nico> Windows has an interface that allows you to find out what the
Nico> resolver's search list is. On Unix I assume that the BIND
Nico> resolver -or, in the worst case, reading resolv.conf directly-
Nico> will always be there.
I don't have a problem if someone proposes updating my patch with a
single search entry support. (It's possible to do multiple search
entries against a KDC with significantly more code restructuring.)
However it's sounding like people agree that the patch would be an
improvement and doesn't sound like it creates trouble for things we want
or might want in the future.
--Sam
More information about the krbdev
mailing list