[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups

Greg Hudson via RT

https://krbdev.mit.edu/rt/Ticket/Display.html?id=8925
This is a comment.  It is not sent to the Requestor(s):

Some ancillary wrinkles:

* krb5_sname_to_principal() allows :port suffixes (used by MSSQLSvc
principals), but the current fallback processing in get_creds.c does not.

* krb5_get_init_creds_keytab() iterates over the keytab to find the available
enctypes so it can put those first in the request, and errors out if it doesn't
find any. This operation does not substitute the default realm for the referral
realm like krb5_kt_get_entry() does.

* krb5_sname_to_principal() looks up the realm (in [domain_realm] or a
hostrealm plugin module) of the first expanded hostname candidate. The current
fallback processing does not repeat this lookup. If qualify_shortname is "",
the lookup is unlikely to succeed for the local hostname or a short hostname.


_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs