From: | Ken Raeburn <raeburn@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | bugs in generating kadmin service principal name from hostname |
Date: | Fri, 26 Jun 2009 18:45:11 -0400 |
I think kadm5_get_admin_service_name should be using
krb5_sname_to_principal. As the code is now, it doesn't follow the
same logic for generating the host-based principal names for kadmin as
we use for other host-based services. (You can argue that that logic
in sn2princ is wrong, and we shouldn't be doing the DNS lookups, blah
blah blah, but I think being inconsistent and wrong in two places is
worse than being consistently wrong and doing it in one place.)
If there's a reason for it not to use krb5_sname_to_principal, it
should probably at least force the hostname to lower-case when
constructing the principal name. The only reason I can think of is
consistency with Sun's behavior, but I would think we'd want that more
globally, or more generally configurable, not just confined to kadmin.
krb5_sname_to_principal. As the code is now, it doesn't follow the
same logic for generating the host-based principal names for kadmin as
we use for other host-based services. (You can argue that that logic
in sn2princ is wrong, and we shouldn't be doing the DNS lookups, blah
blah blah, but I think being inconsistent and wrong in two places is
worse than being consistently wrong and doing it in one place.)
If there's a reason for it not to use krb5_sname_to_principal, it
should probably at least force the hostname to lower-case when
constructing the principal name. The only reason I can think of is
consistency with Sun's behavior, but I would think we'd want that more
globally, or more generally configurable, not just confined to kadmin.