[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Turning off hostname canonicalisation

To: "Andrew Bartlett" <abartlet@samba.org>, "Jeffrey Altman" <jaltman@mit.edu>
Subject: Re: Turning off hostname canonicalisation
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 10 Sep 2005 14:00:43 +0100
Cc: <heimdal-discuss@sics.se>, <krbdev@mit.edu>
References: <1126309828.5848.313.camel@amy.flyaway.abartlet.net> <6913CBA5-ADC0-430D-9ECC-7B83D018F0A8@mit.edu> <43222A05.4050607@mit.edu> <1126313407.5848.328.camel@amy.flyaway.abartlet.net> <43223044.8070309@mit.edu> <24A32B8D6AD8D678E72C9115@bistromath.pc.cs.cmu.edu> <1126329132.13543.10.camel@amy.flyaway.abartlet.net> <4322B7F7.9090604@mit.edu> <1126348877.13543.27.camel@amy.flyaway.abartlet.net>
Sender: owner-heimdal-discuss@sics.se

Sorry, I couldn't follow the whole discussion about canonicalisation. I have 
in my apps also issues with canoncalisation and like to understand if your 
discussion would help my too.Where does the canonicalisation take place in 
your case ? In my case the canonicalisation is done when calling 
gss_import_name with type GSS_C_NT_HOSTBASED_SERVICE  and the gss service 
service@hostname, but if  I use GSS_C_NULL_OID then I have to provide the 
correct Kerberos principal, as no canonicalisation is performed. So there is 
no need for a global krb5.conf flag or are there other places where 
canonicalisation is done inside the Kerberos code ?

The other issue I see in enterprise environments is the use of CNAMEs and 
Global Server Load Balancing for load balancing, disaster recovery or simple 
failover . In these cases canonicalisation is very useful since you wouldn't 
need to synchronise keytabs on different systems. (it may not be as secure, 
but you could mitigate the risk in other ways)

Example:
A-record host1.test.com 10.10.10.1
               host2.test.com 10.10.10.2

CNAME app.test.com   host1.test.com 10.10.10.1

If I now access app.test.com the canonicalisation gives me host1.name.com 
and I need a keytab of service/host1.test.com on host host1. In disaster 
case the CNAME changes to (GSLB would do this automatically)

CNAME app.test.com host2.test.com 10.10.10.2

and I need a keytab with service/host2.test.com on host2. Without 
canonicalisation I would need to create keytab for app.test.com and 
distribute to every system, which can be painful in a bigger environment. So 
I see a need to keep canonicalisation on a service by service case and not 
as a global switch.

Thank you
Markus

----- Original Message ----- 
From: "Andrew Bartlett" <abartlet@samba.org>
To: "Jeffrey Altman" <jaltman@mit.edu>
Cc: <heimdal-discuss@sics.se>; <krbdev@mit.edu>
Sent: Saturday, September 10, 2005 11:41 AM
Subject: Re: Turning off hostname canonicalisation

Follow-Ups:
- Re: Turning off hostname canonicalisation
  - From: Buck Huppmann <buckh@pobox.com>

References:
- Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Turning off hostname canonicalisation
Next by Date: Re: [SAMBA4][PATCH] Fix up AES sign/seal on DCE/RPC
Prev by thread: Re: Turning off hostname canonicalisation
Next by thread: Re: Turning off hostname canonicalisation
Index(es):
- Date
- Thread