On Thu, 2009-08-27 at 19:46 -0400, Chris wrote: > This is how I am trying use this, and it doesn't seem to be working. I > can use the same queries I see going to the LDAP server manually as the > KDC user, and they return the correct record, but the KDC always says it > cannot find the service principal if I use an alias. I see a spot in > the code that will set the principal name if it sees both > krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I > think I read in the docs, this is supposed to be on for service > principals by default.
How are you doing your test queries? (For instance, if you're using command line tools, what commands are you using?) In general, the expected behavior as I understand it is: kinit realname --> tgt kinit aliasname --> not-found error kinit -C aliasname --> tgt for realname kinit user; kvno realname --> service ticket for realname kinit user; kvno aliasname --> service ticket for realname (presented as ticket for aliasname because we can't change the service name in a TGS response) But there's always the possibility of bugs. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
