[31433] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Luke Howard)
Sun Aug 30 04:20:02 2009
X-Barracuda-Envelope-From: lukeh@padl.com
Message-Id: <63688255-E3AF-4473-822C-B34C6F2878B2@padl.com>
From: Luke Howard <lukeh@padl.com>
To: "kerberos@MIT.EDU" <kerberos@mit.edu>
In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sun, 30 Aug 2009 10:19:19 +0200
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 30/08/2009, at 9:21 AM, Luke Howard wrote:
>> Yep, sure enough. The version on wopr is pretty old.
>>
>> Are there any known scenarios where forcing canonicalization on the
>> KDC
>> would be bad? I was thinking about just removing the check for that
>> flag from our KDCs, since there are quite a few servers that have the
>> old libraries.
>
>
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
So, you could try the following untested patch:
Index: ldap_principal2.c
===================================================================
--- ldap_principal2.c (revision 22548)
+++ ldap_principal2.c (working copy)
@@ -160,7 +160,8 @@
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) !=
NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
- if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0 ||
+ (flags & KRB5_KDB_FLAG_CANONICALIZE)) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;
This always canonicalization for server names (when
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset).
For client names, it continues to depend on the setting of
KRB5_KDB_FLAG_CANONICALIZE.
-- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
