bug: krb5_get_host_realm() no longer uses DNS

Greg Hudson ghudson at MIT.EDU
Mon May 17 14:50:15 EDT 2010


On Sat, 2010-05-15 at 04:14 -0400, Richard E. Silverman wrote:
> Somewhere between 1.5.4 and 1.8.1, this code was removed from
> krb5_get_host_realm() and moved to krb5_get_fallback_host_realm():
[...]
> Am I missing something, or is this just a bug?

This happened in krb5 1.6, as part of referrals support.

It's definitely a behavior change, and has had some other negative
consequences.  I've considered restoring the old behavior of the API,
but haven't quite convinced myself that it's a good idea.  The API can't
fully match the behavior of the TGS code since we can't perform
referrals without a TGT in hand, so perhaps it's better to give the
caller both pieces of what we broke (krb5_get_host_realm and
krb5_get_fallback_host_realm) instead of gluing them awkwardly back
together.

> If a server determines its realm via
> a TXT record, e.g. for gss_acquire_cred(), then it now fails where it
> worked in earlier versions (this has bitten me with OpenSSH).

Is there a reason your server needs to use gss_acquire_cred with a
specified name, as opposed to just passing null credentials to
gss_accept_sec_context, or a null name to gss_acquire_cred?





More information about the Kerberos mailing list