Reading kerberos-adm from DNS: when will MIT-krb support this?
Adam Megacz
megacz at cs.berkeley.edu
Sat Mar 15 22:36:02 EDT 2008
Ken Raeburn <raeburn at mit.edu> writes:
>> I believe the future has already arrived. Current MIT code should
>> be capable of finding and using records like this:
>>
>> spam% dig _kerberos-adm._tcp.umich.edu srv
>
> This is used for the password-changing service, but unfortunately the
> RPC code used for the kadmin program still looks up admin_server, and
> uses the first IP address found when looking up that hostname. No
> DNS, one hostname, one address, no service-location plugin support,
> no IPv6. These do need to be fixed....
This should help.
- a
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index bb87f88..48b1792 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
params.admin_server = strdup(params_in->admin_server);
if (params.admin_server)
params.mask |= KADM5_CONFIG_ADMIN_SERVER;
- } else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- params.admin_server = svalue;
- params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ } else if (aprofile) {
+ if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ params.admin_server = svalue;
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ } else {
+ struct addrlist addrlist;
+ int i;
+ krb5_data drealm;
+ drealm.data = (void*)params.realm;
+ drealm.length = strlen(params.realm);
+ if (!krb5int_locate_server(context, &drealm, &addrlist, 0,
+ "admin_server", "_kerberos-adm", 1,
+ DEFAULT_KPASSWD_PORT, 0, 0)) {
+ for (i=0;i<addrlist.naddrs;i++ ) {
+ struct addrinfo *a = addrlist.addrs[i];
+ if (a->ai_family == AF_INET) {
+ params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr));
+ params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port);
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ params.mask |= KADM5_CONFIG_KADMIND_PORT;
+ break;
+ }
+ }
+ }
+ }
}
if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
char *p;
More information about the Kerberos
mailing list