> Yep, sure enough. The version on wopr is pretty old. > > Are there any known scenarios where forcing canonicalization on the > KDC > would be bad? I was thinking about just removing the check for that > flag from our KDCs, since there are quite a few servers that have the > old libraries.
This will create problems in the AS path, because the client library won't expect a different principal name. In the TGS path, I think Greg is right (but if you're going to disable to check, I'd do it in libkdb_ldap rather than the KDC). -- Luke ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
