[31422] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Aug 28 13:09:08 2009
From: Greg Hudson <ghudson@mit.edu>
To: Chris <lists@deksai.com>
In-Reply-To: <20090827234627.GA23653@chris-laptop.a2hosting.com>
Date: Fri, 28 Aug 2009 13:08:47 -0400
Message-Id: <1251479327.20047.263.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2009-08-27 at 19:46 -0400, Chris wrote:
> This is how I am trying use this, and it doesn't seem to be working. I
> can use the same queries I see going to the LDAP server manually as the
> KDC user, and they return the correct record, but the KDC always says it
> cannot find the service principal if I use an alias. I see a spot in
> the code that will set the principal name if it sees both
> krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I
> think I read in the docs, this is supposed to be on for service
> principals by default.
How are you doing your test queries? (For instance, if you're using
command line tools, what commands are you using?) In general, the
expected behavior as I understand it is:
kinit realname --> tgt
kinit aliasname --> not-found error
kinit -C aliasname --> tgt for realname
kinit user; kvno realname --> service ticket for realname
kinit user; kvno aliasname --> service ticket for realname (presented
as ticket for aliasname because we can't change the service name in a
TGS response)
But there's always the possibility of bugs.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
