Hi everybody, I'm trying to set up a AFP server with (MIT) Kerberos authentication and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in my home network (which uses a private .lan top level domain). The AFP server works beautifully when connecting "directly" to it.
But when I try to connect to the AFP after discovery via dns-sd, the client tries to fetch a "afpserver/[email protected]" ticket (note the trailing dot in the SPN), which doesn't exist, so authentication fails. (This is btw the correct behavior of dns-sd, which always gives back the more verbose "form" of the hostname with trailing dot.) Now I can't simply add "afpserver/afp.lan." principal, as the AFP server accepts only one principal, and I want to be able to connect both "directly" and via dns-sd. However, when the client connects to the KDC asking for that nonexistent service principal, the "canonicalization" flag is set, but the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Now is there a way to activate kdc-side canonicalization and/or setup a static alias between "afpserver/afp.lan." and "afpserver/afp.lan"? Thanks in advance, Lorenzo Costanzia ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
