[16968] in Kerberos-V5-bugs
[krbdev.mit.edu #9137] kg_acceptor_princ behavior
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sat Aug 24 02:41:42 2024
From: "Greg Hudson via RT" <rt@kerborg-prod-app-1.mit.edu>
In-Reply-To: <LV3PR04MB899171DFEA6411FE49AACFD9FB882@LV3PR04MB8991.namprd04.prod.outlook.com>
Message-ID: <rt-4.4.3-2-259714-1724481694-1418.9137-5-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9137":;
Date: Sat, 24 Aug 2024 02:41:34 -0400
MIME-Version: 1.0
Reply-To: rt@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9137 >
This does not read like a bug report. Requests for clarification about parts
of the MIT krb5 code should be sent to krbdev@mit.edu, not to
krb5-bugs@mit.edu, and should ideally come with more details and less venting.
For more information about that comment, see https://k5wiki.kerberos.org/wiki/
Projects/Acceptor_Names and https://github.com/krb5/krb5/commit/
66587fcd6380eac2c53674df4f64a827d337aee5. Since then we have also implemented
support for dns_canonicalize_hostname=fallback; if that is set, the acceptor
will match the originally provided hostname or the canonicalized hostname.
If the preferred behavior is not to restrict the hostname part of the acceptor
principal except to what is in the keytab, either the acceptor code should
import a service name with no hostname part (like "HTTP" instead of
"HTTP@myhostname"), or krb5.conf should contain ignore_acceptor_hostname=true.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
