[30719] in Kerberos
Kerberos canonicalization problem
daemon@ATHENA.MIT.EDU (Lorenzo Costanzia)
Fri Feb 13 12:20:28 2009
From: Lorenzo Costanzia <lorenzo.costanzia@gmail.com>
Date: Fri, 13 Feb 2009 12:23:41 +0100
Message-ID: <4995583d$0$844$4fafbaef@reader5.news.tin.it>
MIME-Version: 1.0
X-Complaints-To: Please send abuse reports to abuse@retail.telecomitalia.it
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi everybody,
I'm trying to set up a AFP server with (MIT) Kerberos authentication
and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
my home network (which uses a private .lan top level domain). The AFP
server works beautifully when connecting "directly" to it.
But when I try to connect to the AFP after discovery via dns-sd, the
client tries to fetch a
"afpserver/afp.lan.@MYREALM.LAN" ticket (note the trailing dot in the
SPN), which doesn't exist, so authentication fails. (This is btw the
correct behavior of dns-sd, which always gives back the more verbose
"form" of the hostname with trailing dot.)
Now I can't simply add "afpserver/afp.lan." principal, as the AFP
server accepts only one principal, and I want to be able to connect
both "directly" and via dns-sd.
However, when the client connects to the KDC asking for that
nonexistent service principal, the "canonicalization" flag is set, but
the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
Now is there a way to activate kdc-side canonicalization and/or setup a
static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?
Thanks in advance,
Lorenzo Costanzia
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
