Return-Path: X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id DA115CC8E5; Fri, 26 Jun 2009 22:45:23 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QMjNpu008570; Fri, 26 Jun 2009 18:45:23 -0400 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QMjI0L008546 for ; Fri, 26 Jun 2009 18:45:18 -0400 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id n5QMjC71009496; Fri, 26 Jun 2009 18:45:12 -0400 (EDT) Received: from [10.0.0.172] (c-24-34-91-35.hsd1.ma.comcast.net [24.34.91.35]) (authenticated bits=0) (User authenticated as raeburn@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id n5QMjB6h027092 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 26 Jun 2009 18:45:12 -0400 (EDT) Message-ID: <0357D27D-8537-4FB4-AD09-FB440365B6C8@mit.edu> From: Ken Raeburn To: krb5-bugs@MIT.EDU Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Subject: bugs in generating kadmin service principal name from hostname MIME-Version: 1.0 (Apple Message framework v935.3) Date: Fri, 26 Jun 2009 18:45:11 -0400 X-Mailer: Apple Mail (2.935.3) X-Scanned-BY: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: us-ascii Content-Length: 825 I think kadm5_get_admin_service_name should be using krb5_sname_to_principal. As the code is now, it doesn't follow the same logic for generating the host-based principal names for kadmin as we use for other host-based services. (You can argue that that logic in sn2princ is wrong, and we shouldn't be doing the DNS lookups, blah blah blah, but I think being inconsistent and wrong in two places is worse than being consistently wrong and doing it in one place.) If there's a reason for it not to use krb5_sname_to_principal, it should probably at least force the hostname to lower-case when constructing the principal name. The only reason I can think of is consistency with Sun's behavior, but I would think we'd want that more globally, or more generally configurable, not just confined to kadmin.