Sorry, I just noticed that the list was dropped from the cc in last few replies.
On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote: > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote: > > [r...@wopr ~]# kvno host/sf9ca98.domain.com > > host/[email protected]: kvno = 7 > > [r...@wopr ~]# kvno host/ns4.domain.com > > host/[email protected]: Server not found in Kerberos > > database while getting credentials > > I just tried a simple test like this myself and it worked for me. > > However, I noted that success in the latter case depends on the client > setting KDC_OPT_CANONICALIZE in the TGS request. The client sets this > bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior. So if > you're trying to get aliases to work for older versions of the client > library, that's going to be an issue. > > Yep, sure enough. The version on wopr is pretty old. Are there any known scenarios where forcing canonicalization on the KDC would be bad? I was thinking about just removing the check for that flag from our KDCs, since there are quite a few servers that have the old libraries. Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
