[17306] in Kerberos_V5_Development
Re: Proposed Behavior change: don't fail when krb5_sname_to_principal
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Oct 14 14:28:06 2011
From: Sam Hartman <hartmans@mit.edu>
To: Tom Yu <tlyu@mit.edu>
Date: Fri, 14 Oct 2011 14:28:01 -0400
In-Reply-To: <ldvr52fsacg.fsf@cathode-dark-space.mit.edu> (Tom Yu's message of
"Fri, 14 Oct 2011 14:21:19 -0400")
Message-ID: <tslhb3bbf7y.fsf@mit.edu>
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
Tom> Greg Hudson <ghudson@MIT.EDU> writes:
>> I'm not really opposed to this, although one could argue that
>> host/foo.searchdomain is a better guess than host/foo in the
>> absence of DNS (when foo contains no dots). But that assumes we
>> can find out the search domain (which might be easier than we
>> used to think, but we don't have a facility for it at the moment)
>> and begs the question of what happens when there are multiple
>> search domains.
Tom> Is there any way to securely deal with multiple search domains?
No, RFC 4120 tells you not to deal with multiple search domains.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
