Re: Ticket addresses w.r.t. forwarded tickets.

[Love Hörnquist Åstrand <lha@kth.se>]

Andrew Bartlett <abartlet@samba.org> writes:

> On Wed, 2005-11-30 at 19:05 -0500, Roland.Dowdeswell@MorganStanley.com
> wrote:
>> So, by default the MIT libs when asked to forward tickets to the remote
>> end will decide whether to include addresses in the forwarded ticket by
>> checking your current TGT and seeing whether it has addresses.  And the
>> addresses that the libs put in the forwarded ticket are determined via
>> a DNS forward lookup of the remote end's hostname.  I would like to
>> have addressed TGTs while forwarding addressless tickets, so I've put
>> together a tiny patch which defines a boolean in the [libdefaults]
>> section of $KRB5_CONFIG to let me do this [below].
>> 
>> What's the chance of including this in the main tree?
>> 
>> (I'll elide the long discussion about why using DNS to determine what
>> addresses the remote end might use to talk to the KDC is pretty much
>> guaranteed to be incorrect for at least some of the hosts on a
>> corporate network.  The only reasonable strategy would be to ask the
>> remote end what its addresses are, or something along those lines.)
>
> For the same reason I added a similar option to lorikeet-heimdal (my
> branch of Heimdal for use in Samba4) for exactly the same reasons.  In
> addition, we tend to find we are using netbios names, which makes DNS
> doubly bogus.

Changed the order the code checks if adressless tickets should be used when
forwarding, using the option first, and then checking if the tgt is
addressless.

Also I added a global default to change the behavior of the
addressless-ness.

I didn't use your patch, but rather just let no-addresses controll all
issues of address-less-ness.

Love

PGP signature