On Wed, 2005-11-30 at 19:05 -0500, Roland.Dowdeswell@MorganStanley.com wrote: > So, by default the MIT libs when asked to forward tickets to the remote > end will decide whether to include addresses in the forwarded ticket by > checking your current TGT and seeing whether it has addresses. And the > addresses that the libs put in the forwarded ticket are determined via > a DNS forward lookup of the remote end's hostname. I would like to > have addressed TGTs while forwarding addressless tickets, so I've put > together a tiny patch which defines a boolean in the [libdefaults] > section of $KRB5_CONFIG to let me do this [below]. > > What's the chance of including this in the main tree? > > (I'll elide the long discussion about why using DNS to determine what > addresses the remote end might use to talk to the KDC is pretty much > guaranteed to be incorrect for at least some of the hosts on a > corporate network. The only reasonable strategy would be to ask the > remote end what its addresses are, or something along those lines.) For the same reason I added a similar option to lorikeet-heimdal (my branch of Heimdal for use in Samba4) for exactly the same reasons. In addition, we tend to find we are using netbios names, which makes DNS doubly bogus. I like your choice of name, but should this be a libdefaults or an appdefaults issue? (no-addresses seems to be under appdefaults in Heimdal). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part