hostnames as far as fully qualifying them in the client name resolution
environment and following CNAME records
[this seems desirable but could be technically problematic]
-
-==============================================================================
-
-
-old implementation
-==================
-client side, part 1: (filling in principal structure):
-- client calls krb5_sname_to_principal
- - krb5_get_host_realm doesn't (can't) know what the referral
- status is, but *realmsp[1] can be used to indicate that a fallback
- realm determination was made (TXT record or usually-bogus
- default_realm), in which case a referral should be attempted if requested
- - if fallback data was returned and kdc realm referrals are turned on,
- krb5_sname_to_principal resets principal domain to ""
-- other options we don't care about:
- - krb5_parse_name, krb5_build_principal
- - both of these operate at a low level; although they're
- user-visible, the general expectation is that the calling code
- knows exactly what it wants
-
-client side, part 2: krb5_get_credentials
- -
-
-krb5_sname_to_principal clears principal realm
-uses that information and referral status to
-
-
-- if kdc referrals turned off, call get_host_realm normally
- - if turned on, calls to get_host_realm with extra ("no fallback") bit set
- - first, do the existing domain_realm profile checks
- (iterate through the hostname looking for a match)
- - if no match, return with an error before trying DNS (TXT record)
- or default_realm assumption
- - **OR**
- - process normally, but set some magic flag somewhere if realm was
- determined via fallback
-
-- can use additional parts of hrealms to indicate the fallback status of
- the realm offered?
-
-old ccache questions:
-====================
- - questions:
- - will/should the library use or search on the canonical principal
- name as well?
- - when do we need to have the real server name stored as well?
- is this is needed for app_req?
- - where can we store both names?
projects / thirdparty / krb5.git / commitdiff
