[38083] in Kerberos
Re: krb5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Oct 18 20:43:00 2017
To: Earl Killian <kerberos@lists.killian.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <9ec1890f-ba56-5b74-23cb-a861d8d81282@mit.edu>
Date: Wed, 18 Oct 2017 20:42:34 -0400
MIME-Version: 1.0
In-Reply-To: <7a6b69ba-a704-f7c8-ec3e-b59b75e9d34d@killian.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/17/2017 06:04 PM, Earl Killian wrote:
> However, I would like to inquire
> of the mailing list how things are supposed to work when those are set
> to false as in the openSUSE distro.
Not as easily as I would like. For the specific issue you mention, I
think the only two workarounds are:
1. Create a principal "host/alpha" and put it in keytabs and ACL files
alongside "host/alpha.killian.com".
2. Arrange for gethostname() to return the FQDN (alpha.killian.com)
instead of just "alpha". This might have undesirable side effects as it
would be a system-wide change.
POSIX does not make it easy to get this right without risking using
insecure DNS, although there are some improvements we could make (such
as looking to see if there is exactly one search domain in _res.dnsrch,
and expanding single-component hostnames using that domain if so).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
