I would also recommend finding a way to get rid of the forward resolution as well. That's more difficult because krb5_sname_to_principal() lacks context that might be helpful to hostbased principal canonicalization. One approach might be to add a new form(s) of that function that accepts additional contextual arguments then start using it instead of the old function.
In any case, +1 from me. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
