[16162] in Kerberos_V5_Development
Re: Patch to ignore service principals when accepting connexions.
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 26 08:21:10 2010
Date: Thu, 26 Aug 2010 08:21:01 -0400
From: Simo Sorce <ssorce@redhat.com>
To: krbdev@mit.edu
Message-ID: <20100826082101.223e1782@willson.li.ssimo.org>
In-Reply-To: <tslmxsaurkr.fsf@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 25 Aug 2010 20:48:36 -0400
Sam Hartman <hartmans@MIT.EDU> wrote:
> How far along would a patch that simply made krb5_rd_req not care
> about the second component (hostname) of a principal go to address
> your needs? Do you need cases where the realm mismatches or where the
> application asked for nfs and you really want imap?
I know of at least one case CIFS file serving. CIFS clients may try to
use one of these 2 names for host foo.example.com:
foo$@EXAMPLE.COM and cifs/foo.example.com@EXAMPLE.COM
And I think it is not unheard of seeing
host/foo.example.com@EXAMPLE.COM too, the reason is that in AD each
machine has a truckload of aliases all applied to the same key
material...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
