[Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.
Sam Hartman
hartmans at debian.org
Thu Apr 29 16:28:48 BST 2010
The Kerberos Consortium has a paper on integrating Kerberos into an
application; see http://www.kerberos.org/software/appskerberos.pdf .
I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that
* with rdns=true (default), both forward and reverse resolution is
performed and the reverse name is used
* With rdns=false, forward resolution is performed including alias
resolution--that is cnames turn into the pointed-to value not the
entered value.
That behavior seems consistent with the code. If you believe that
things aren't working that way, then I can attempt to reproduce.
As I understand your patch, it would (on some platforms including all
Ubuntu platforms) cause the rdns=false behavior to actually skip
resolution and just use the entered name not resolving cnames.
It's possible there was a bug in previous releases of MIT Kerberos and
this was the behavior.
I also understand that the behavior surrounding Kerberos and DNS is kind
of complicated and not entirely desirable. The paper I pointed you at
includes discussions of problems with the current behavior and eventual
goals. It also recommends ways applications can avoid forward/reverse
DNS resolution if they wish to do so.
--
krb5 prefers the reverse pointer no matter what for locating service tickets.
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list