[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Turning off hostname canonicalisation



On Sep 9, 2005, at 20:10, Jeffrey Altman wrote:
> MIT has already implemented this functionality.
> We added
>
> [libdefaults]
>   rdns = {no, yes}
>
> It currently defaults to "on" but can be turned off in the profile.

No, this is different functionality.

MIT's current code does basically this:

   1) get hostname from user/app
   2) call getaddrinfo on hostname
   3) pull out ai_canonname, the canonical name, if non-null
   4) if rdns=yes:
     a) call getnameinfo(NI_NAMEREQD) on first address
     b) if successful, use returned name

What Andrew's proposing basically cuts this off after step 1.  The  
user provides a name, we drop it into a principal and send it off to  
the KDC.

It sounds like a good thing, except ... if a host is being a Samba  
client, does that mean it's talking to the AD for all its Kerberos  
communication?  It won't be talking to, say, an MIT KDC that expects  
fully qualified canonical name to be used in the principal name?   
Changing /etc/krb5.conf will affect all Kerberos applications on the  
machine; if that's not the right result, then Samba would need its  
own config file, or we should use a different way to switch it off.

BTW, Andrew's original message seems to conflate "canonical" and  
"fully qualified" names.  A name can be fully qualified without being  
canonical.  I assumed from his description that he wants any sort of  
name lookup and transformation shut off....

Ken