[31430] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Luke Howard)
Sun Aug 30 03:19:13 2009
Message-Id: <0FE8A6BC-148A-4558-9725-255A654BC594@padl.com>
From: Luke Howard <lukeh@padl.com>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1251592701.20047.294.camel@ray>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sun, 30 Aug 2009 09:18:23 +0200
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 30/08/2009, at 2:38 AM, Greg Hudson wrote:
> On Sat, 2009-08-29 at 11:01 -0400, Chris wrote:
>> Are there any known scenarios where forcing canonicalization on the
>> KDC
>> would be bad?
>
> I'm not aware of any--in fact, I couldn't tell you with confidence why
> our KDC is checking that flag for TGS requests without consultation
> with
> others. However, if you have old MIT Kerberos software on server
> machines (in the sense of a Kerberos application server), you may run
> into another problem:
In the TGS, the canonicalize flag is used only for determining whether
to return referrals; in a normal service principal request, it has no
bearing on the returned service name.
The behaviour for the AS is slightly different in respect of service
names, in order to handle some Windows interoperability issues. In
respect of client names, the canonicalize flag permits a different
client name to be returned.
-- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
