[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Turning off hostname canonicalisation
With all the discussion on this subject in the last few days, doesn't this
come down to: Samba is windows centric and Windows Kerberos has canonicalization
and referrals to support it, and these features are documented in:
So the issue is implementing this in the other Kerberos implementations,
which requires some client changes, but will also requires KDC side changes to
do the realm lookups and canonicalization.
Is it also possible that since Windows uses both accounts and principals,
which are very close, but not the same, that while trying to have Samba
use straight Kerberos there are some missing mappings between account and
principal. Responses to this list maybe trying to force either Kerberos or
Samba to implement these mappings which where handled by Windows NT or AD.
Andrew Bartlett wrote:
> As part of our effort to get kerberos working really well in Samba4, I'm
> interested to turn off hostname canonicalisation, because it isn't
> required in AD realms, it doesn't make much sense anyway for netbios
> names and DNS is so often broken on real networks.
> Rather than just rip out the code (in our modified heimdal snapshot), I
> was looking at instead using a krb5.conf config option, and hoped that I
> might get some consensus as to how this should be done, between the two
> projects that share the /etc/krb5.conf file (and have done so very well,
> I get surprisingly little pain from this).
> I'm thinking along the lines of:
> hostname_canonicalise = no
> This would prevent the krb5 libs doing hostname lookups to obtain a
> fully-qualified hostname.
> For compatibility I assume it would be 'yes' by default, but Samba would
> set it to no in the krb5_init_context routines.
> Does this sound sane?
> Andrew Bartlett
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439