Reading kerberos-adm from DNS: when will MIT-krb support this?

Adam Megacz megacz at cs.berkeley.edu
Sat Mar 15 22:36:02 EDT 2008


Ken Raeburn <raeburn at mit.edu> writes:
>> I believe the future has already arrived.  Current MIT code should
>> be capable of finding and using records like this:
>>
>> 	spam% dig _kerberos-adm._tcp.umich.edu srv
>
> This is used for the password-changing service, but unfortunately the  
> RPC code used for the kadmin program still looks up admin_server, and  
> uses the first IP address found when looking up that hostname.  No  
> DNS, one hostname, one address, no service-location plugin support,  
> no IPv6.  These do need to be fixed....

This should help.

  - a


diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index bb87f88..48b1792 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
 	 params.admin_server = strdup(params_in->admin_server);
 	 if (params.admin_server)
 	      params.mask |= KADM5_CONFIG_ADMIN_SERVER;
-    } else if (aprofile &&
-	       !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
-	 params.admin_server = svalue;
-	 params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    } else if (aprofile) {
+      if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+        params.admin_server = svalue;
+        params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+      } else {
+        struct addrlist addrlist;
+        int i;
+        krb5_data drealm;
+        drealm.data   = (void*)params.realm;
+        drealm.length = strlen(params.realm);
+	if (!krb5int_locate_server(context, &drealm, &addrlist, 0,
+                                   "admin_server", "_kerberos-adm", 1,
+                                   DEFAULT_KPASSWD_PORT, 0, 0)) {
+          for (i=0;i<addrlist.naddrs;i++ ) {
+            struct addrinfo *a = addrlist.addrs[i];
+            if (a->ai_family == AF_INET) {
+              params.admin_server  = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr));
+              params.kadmind_port  = ntohs(sa2sin (a->ai_addr)->sin_port);
+              params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+              params.mask |= KADM5_CONFIG_KADMIND_PORT;
+              break;
+            }
+          }
+        }
+      }
     }
     if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
 	 char *p;




More information about the Kerberos mailing list