X-RT-Interface: Web MIME-Version: 1.0 Message-ID: X-Mailer: MIME-tools 5.507 (Entity 5.507) Content-Transfer-Encoding: binary Content-Type: text/html; charset="utf-8" Content-Disposition: inline References: In-Reply-To: X-RT-Original-Encoding: utf-8 RT-Send-CC: Content-Length: 1440 Measures I have considered so far:

* Implement canonicalization fallback for keytab search, as Heimdal does in its hostname canonicalization framework.  If we did this, we might be able to get away with a qualify_shortname="" default, sacrificing the TGS convenience.

* Using getaddrinfo(gethostname()) to construct the local FQDN, regardless of dns_canonicalize_hostname value, under the theory that the local hostname will be listed in /etc/hosts.  This wouldn't solve the GSS acceptor name case because we don't specifically know we're getting the local FQDN (unless we compared the supplied hostname to gethostname(), but that seems like it would create other edge cases).  Also, I checked a few hosts under my control and found that one of them did not list the local hostname in /etc/hosts (so "hostname -f" goes to DNS).

We might also consider delaying any transformation of the hostname until krb5_get_credentials/krb5_kt_et_entry time, so that we remember the original value.  In the LAN case, hostname.ispdomain probably does not resolve, whereas the hostname alone does, so early shortname qualification gets in the way of fallback.  Heimdal does this in its hostname canonicalization framework unless there is a single canonicalization rule of "nss".  (Well, more or less; it still removes trailing dots immediately.)