On 2007-07-04 14:56, Yves Martin wrote: [chop] > thanks to different virtual hosts. In that case, a Unix client using > GSSAPI works, a Win32 using SSPI client does not. > > Either I compile the Win32 client with GSSAPI too, > either I have to dedicate a new IP address to my service URL - if there > is a chance that mod_auth_kerb on server use the right keytab entry (I > still have a doubt)
With the right tweaks mod_auth_kerb will do the right thing. > I'm asking why you reject so firmly DNS canonicalization. Even libgssapi > from MIT Kerberos does it now. [chop] I have essentially the same problem *caused* by the canonicalization. Depending on which DNS servers are used by clients, they canonicalize a hostname into a different SPN. For far I'm up to seven. Yikes. My reasons for being opposed to DNS c14n are not at all original and are well argued all over the place. I of course 100% agree that DNS canonicalization is common in krb5 implementations, but that doesn't make it right. I've been resisting the urge to as the rhetorical question, "if MIT jumped off a cliff, would neon too?" -- Alec Kloss [EMAIL PROTECTED] IM: [EMAIL PROTECTED] PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E The mountain called Monkey had spoken. There was only fire. -Gorillaz
pgpZ6BVCxiBgx.pgp
Description: PGP signature
_______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
