[16163] in Kerberos_V5_Development
Re: Patch to ignore service principals when accepting connexions.
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 26 08:26:30 2010
Date: Thu, 26 Aug 2010 08:26:20 -0400
From: Simo Sorce <ssorce@redhat.com>
To: Sam Hartman <hartmans@painless-security.com>
Message-ID: <20100826082620.3ddae4d4@willson.li.ssimo.org>
In-Reply-To: <tsleidmupik.fsf@mit.edu>
Mime-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 25 Aug 2010 21:33:07 -0400
Sam Hartman <hartmans@painless-security.com> wrote:
> I definitely agree that the forward/reverse resolution creates issues
> for acquire_cred. There's a kind of annoying Debian bug open on this
> where the name you end up with depends on whether you have A records
> or just AAAA records. Also, as you point out it is a source of
> failure.
>
> So, I would like to express support for a configuration knob to ignore
> the hostname and to look into what we can do about acceptor-side use
> of DNS.
In Heimdal there is a function called gsskrb5_set_dns_canonicalized()
that allows you to tell your library to not do any dns lookup.
It would be a nice to have.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
