[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Sam Hartman]

The Kerberos Consortium has a paper on integrating Kerberos into an
application; see http://www.kerberos.org/software/appskerberos.pdf .

I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that

* with rdns=true (default), both forward and reverse resolution is
  performed and the reverse name is used

* With rdns=false, forward resolution is performed including alias
  resolution--that is cnames turn into the pointed-to value not the
  entered value.

That behavior seems consistent with the code.  If you believe that
things aren't working that way, then I can attempt to reproduce.

As I understand your patch, it would (on some platforms including all
Ubuntu platforms) cause the rdns=false behavior to actually skip
resolution and just use the entered name not resolving cnames.

It's possible there was a bug in previous releases of MIT Kerberos and
this was the behavior.

I also understand that the behavior surrounding Kerberos and DNS is kind
of complicated and not entirely desirable.  The paper I pointed you at
includes discussions of problems with the current behavior and eventual
goals.  It also recommends ways applications can avoid forward/reverse
DNS resolution if they wish to do so.

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.