Reading kerberos-adm from DNS: when will MIT-krb support this?
Marcus Watts
mdw at umich.edu
Mon Mar 12 22:25:25 EDT 2007
> This is used for the password-changing service, but unfortunately the
> RPC code used for the kadmin program still looks up admin_server, and
> uses the first IP address found when looking up that hostname. No
> DNS, one hostname, one address, no service-location plugin support,
> no IPv6. These do need to be fixed....
That's sad. But you're right, there is a kadm5_config_params structure
which contains the field
char * admin_server
which can be set by
krb5/src/kadmin/cli/kadmin.c
(as a command line "here is the server" option), or by
krb5/src/lib/kadm5/alt_prof.c
based on krb5.conf stuff,
[realms] XXX = { admin_server = YYY }
It's used by
krb5/src/lib/kadm5/clnt/client_init.c
where the string is used as a parameter to gethostbyname -- and as you point
out only the first address returned is passed as a parameter to clnttcp_create.
Looks like it should be possible to use
krb5int_locate_server(?, ?, ?, locate_service_kadmin, SOCK_STREAM, AF_INET);
(or, as you say, equivalent IPv6 logic,) presumably followed by some sort
of loop based on whatever comes back in addrlist, looping to connect,
and returning the first connection that also succeeds with clnttcp_create,
plus some sort of application hook for "kadmin -s host:port" to
override the behavior of krb5int_locate_server.
IPv6 support raises the question of an IPv6 portmapper, even though your
code doesn't actually need this...
-Marcus
More information about the Kerberos
mailing list