On Sun, Aug 30, 2009 at 09:21:22AM +0200, Luke Howard wrote: > >Yep, sure enough. The version on wopr is pretty old. > > > >Are there any known scenarios where forcing canonicalization on > >the KDC > >would be bad? I was thinking about just removing the check for that > >flag from our KDCs, since there are quite a few servers that have the > >old libraries. > > > This will create problems in the AS path, because the client library > won't expect a different principal name. In the TGS path, I think > Greg is right (but if you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC). > > -- Luke
Thank you both for the input (and the patch). I apologize, I was out on vacation for several days, so I didn't mean to ignore you! I see that the patch made it into svn. I will apply it here, and let you know if I run into any problems. Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
