On Fri, 2005-09-09 at 23:54 -0400, Jeffrey Hutzelman wrote: > > On Friday, September 09, 2005 21:00:52 -0400 Jeffrey Altman > <jaltman@mit.edu> wrote: > > > Andrew Bartlett wrote: > > > >> How are MIT/Heimdal realms coping with windows clients, which I presume > >> don't do such fqdn resolution. Is the concept of servicePrincipalName > >> spreading to cope, or are there just multiple principals and keytab > >> entries being created? > > > > Currently, large numbers of principal names and keytab entries are being > > created to deal with this issue. > > Someday, I'd love to see MIT and/or Heimdal add real principal name > aliasing, which would allow better handling for this case than is currently > possible. As to whether any of the implementors are likely to spend time > on it, I don't know. Samba4 already has this feature (naturally, given we are after AD behaviour), but the more useful point I wanted to make is that I didn't find it hard to add, particularly to an ldap-like backend (you just search for one of any of the names on a record). > I very much support the idea of a libdefaults setting to turn of DNS > resolution entirely. Among other things, this would allow compliance with > RFC4120 section 1.3, which says: > > Implementations of Kerberos and protocols based on Kerberos MUST NOT > use insecure DNS queries to canonicalize the hostname components of > the service principal names (i.e., they MUST NOT use insecure DNS > queries to map one name to another to determine the host part of the > principal name with which one is to communicate). > > > However, I object to the name proposed by Andrew, on the grounds that a > significant portion of users are likely to misspell it, due to a systematic > difference in spelling between British and American English (In American > English, we spell -ize with a 'z'). > > Since a misspelling would result in unintended and potentially insecure > behavior (depending on which setting is the default) and would not trigger > an error message, let's pick a name which does not have this problem. :-) fqdn_lookup? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part