> This will create problems in the AS path, because the client library > won't expect a different principal name. In the TGS path, I think Greg > is right (but if you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC).
In the TGS path, it's fine a backend to always return aliases regardless of the setting of the canonicalize flag (after all, they are indistinguishable to the service from genuine principals). IIRC the DSfW backend does this. -- Luke ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
