[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Turning off hostname canonicalisation
>>>>> "Jeffrey" == Jeffrey Hutzelman <email@example.com> writes:
Jeffrey> On Tuesday, September 13, 2005 02:59:41 PM -0400 Sam
Jeffrey> <firstname.lastname@example.org> wrote:
>>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com>
Nicolas> The proposed set/change password version 2 protocol deals
Nicolas> with principal aliasing...
>> It requires that the KDC be able to enumerate all the
>> principals that a particular service can be known as. That is
>> not compatible with case insensitive keytabs in an
>> interoperable manner.
Jeffrey> You've used that phrase twice now, and I still can't
Jeffrey> figure out what it means. What requirement do you see
Jeffrey> that is not being met?
The issue is that unless I know that both the KDC and the keytab code
are case insensitive, then it will not work interoperably.
I think it is very dangerous to encourage implementations to have
aliasing algorithms beyond what the set/change password spec will
allow because doing so reduces the likelihood that one vendor's code
can be used to replace another vendor's code.