Re: Freeze exception for sssd?
Petter Reinholdtsen <pere@hungry.com> writes:
> [Russ Allbery]
>> You should reverse this logic and check for and prefer the SRV record
>> first, as that's the documented purpose of the SRV record and any site
>> that's configured the SRV record probably knows what they're doing and
>> isn't going to want you to do simple name guessing.
> That will break the autodetection for uio.no. The logic was done this
> way to ensure that it will prefer the DNS aliases used at uio.no and in
> Debian Edu over those in SRV records, to make sure Windows / Active
> Directory settings in SRV records is the fallback and not the primary
> configuration when both are provided at the site (like it is with uio.no
> and Debian Edu :).
That's frustrating, but the current code is going to break for a bunch of
other people and is also going directly against the intended purpose for
the SRV records. It's not uncommon for specific hostnames to be grabbed
by some other department or project for legacy reasons, and one of the
primary purposes of SRV records is to be the canonical source of data so
that people don't do the wrong thing with hostname guessing.
Maybe maintain a blacklist of specific sites that cannot use SRV records
for whatever reason?
Incidentally, if /etc/krb5.conf exists, you probably want to look there
for the Kerberos realm and KDCs, since that file overrides DNS for all
Kerberos code and is most likely to be correct if it is present and
contains the information you want.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: