>Since we use NIS as the primary source for hostname >resolution, all host lookups render a single IP address, >even for multihomed machines. Moving to DNS is not an >option at the moment.
I have to ask ... you're STILL using NIS for hostname resolution? Ouch. >That said (barring hacks to application protocols that >would allow target hosts to send IP addresses back to >the source host, then having the client embed the full set >of tickets), the way to address this would be to have >the target host obtain new tickets will a full set of >IP addresses. > >1 - is this possible? The trick here is that one of the IP addresses in the target ticket _must_ be the IP address used to talk to the KDC; otherwise, you're outta luck. >2 - is it within the limits of the specification? Yes. It occurs to me that you could save yourself some pain and simply get a completely addressless ticket. There is a school of thought in the Kerberos world that suggests IP addresses in tickets are not that useful. --Ken _______________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
