Re: [Perlgssapi-users] gss_nt_service_name
Brought to you by:
achimgrolms
Menu
▾
▴
Re: [Perlgssapi-users] gss_nt_service_name
|
From: David L. <Dav...@qu...> - 2006-09-23 13:44:03
|
Achim Grolms wrote: > >> he client should ensure that the hostname part of the >> specified target GSS host-based service name matches the DNS hostname of >> the IP connection's destination host? >> This is addressed by RFC 2743: >> > > Yes. > gss_nt_krb5_principal means no hostnamelookups or anything of that kind. > > > Well, krb5 principal names have 'conventions'.. SRV-HST name type is what could be divined here. And then depending on how you read the rfcs, you could make your server derive the ip address from any given krb5 spn. But, in this case isn't he krb5 name being used as an override? The target host name is known; the IP address is being found through (trusted) DNS, only that the SPN to use in the initial token exchange is not coming from the normal way (i.e. derived from the target dns name) but instead is being provided as an override. So, no need for lookup/canonicalization of the name. d |
