On 30/08/2009, at 9:21 AM, Luke Howard wrote:
>> Yep, sure enough. The version on wopr is pretty old.
>>
>> Are there any known scenarios where forcing canonicalization on the
>> KDC
>> would be bad? I was thinking about just removing the check for that
>> flag from our KDCs, since there are quite a few servers that have the
>> old libraries.
>
>
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
So, you could try the following untested patch:
Index: ldap_principal2.c
===================================================================
--- ldap_principal2.c (revision 22548)
+++ ldap_principal2.c (working copy)
@@ -160,7 +160,8 @@
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) !=
NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
- if (flags & KRB5_KDB_FLAG_CANONICALIZE) {
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0 ||
+ (flags & KRB5_KDB_FLAG_CANONICALIZE)) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;
This always canonicalization for server names (when
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset).
For client names, it continues to depend on the setting of
KRB5_KDB_FLAG_CANONICALIZE.
-- Luke
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
