Work required before we enable krb5 in default config
Luke Howard
lukeh at padl.com
Thu Sep 8 15:00:20 GMT 2005
>GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
>The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
>add a new API to put back separate sign/seal interfaces with separate
>signature generation. This should work with the new AES wrap format. I
>need to figure out how Microsoft handles this...
I think the gss_wrap_ex() we added should do this, it's sitting in
the mechglue branch of Heimdal.
>We need to ensure that Heimdal doesn't cause us to do blocking DNS
>lookups for domains that may not be kerberised, and in particular for
>the client-side canonicalisation of hostnames (that may not exist in
>DNS). I don't want to enable this, and have users swearing at DNS
>timeouts.
You should be able to disable this entirely in the client library,
it's not necessary with Active Directory because the KDC can do name
canonicalization.
-- Luke
--
More information about the samba-technical
mailing list