Re: [modauthkerb] Re: No principal in keytab matches desired name
Brought to you by:
kouril
From: Achim G. <ac...@gr...> - 2006-02-17 19:52:14
|
On Friday 17 February 2006 20:49, Henry B. Hotz wrote: > On Feb 17, 2006, at 11:24 AM, Achim Grolms wrote: > > CNAMEs work if the name in keytab is the canonical hostname. > > > > Achim > > Maybe on some implementations, but in general you should expect the > client Kerberos library to do a reverse lookup on the IP of the web > server and use *that* as the second component of the principal it > tries to use. To be precise it's not that you can't use a CNAME, but > you MUST use the value of the PTR record for the IP of the server > (unless it's overridden by /etc/hosts). Correct. What is the difference to what I have written? Achim |