[31427] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Chris)
Sat Aug 29 11:01:53 2009
X-Barracuda-Envelope-From: lists@deksai.com
Date: Sat, 29 Aug 2009 11:01:19 -0400
From: Chris <lists@deksai.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20090829150119.GA26450@chris-laptop.a2hosting.com>
Mail-Followup-To: Greg Hudson <ghudson@MIT.EDU>, kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1251509264.20047.273.camel@ray>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sorry, I just noticed that the list was dropped from the cc in last few replies.
On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote:
> On Fri, 2009-08-28 at 16:04 -0400, Chris wrote:
> > [root@wopr ~]# kvno host/sf9ca98.domain.com
> > host/sf9ca98.domain.com@DOMAIN.COM: kvno = 7
> > [root@wopr ~]# kvno host/ns4.domain.com
> > host/ns4.domain.com@DOMAIN.COM: Server not found in Kerberos
> > database while getting credentials
>
> I just tried a simple test like this myself and it worked for me.
>
> However, I noted that success in the latter case depends on the client
> setting KDC_OPT_CANONICALIZE in the TGS request. The client sets this
> bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior. So if
> you're trying to get aliases to work for older versions of the client
> library, that's going to be an issue.
>
>
Yep, sure enough. The version on wopr is pretty old.
Are there any known scenarios where forcing canonicalization on the KDC
would be bad? I was thinking about just removing the check for that
flag from our KDCs, since there are quite a few servers that have the
old libraries.
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos