What are the issues with dns_lookup_realm ?

Greg Hudson ghudson at MIT.EDU
Mon Oct 11 12:54:57 EDT 2010


On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
> - mod_auth_kerb tries to find realm for rails.api.example.com
>   (the virtual server hostname), via DNS lookups
> - mod_auth_kerb fails to find one
> - mod_auth_kerb looks for something duff like "HTTP/rails.api.example.com@"
>   in its keytab, and fails

I doubt it's actually failing.  It's probably falling back to
API.EXAMPLE.COM as the best available heuristic; that happens to be the
wrong answer.

> ''The misunderstanding here is that "the default realm" is not the default
> for host-to-realm mappings.  It's the default for parsing principal
> names which don't contain realms--for example, if you "kinit bcandler"
> instead of "kinit bcandler at EXAMPLE.COM".''

I'm actually a little surprised that mod_auth_kerb is doing a
host-to-realm lookup instead of just using the default realm for the
verification service principal.  I guess in some virtual host settings,
that's desirable.

> Maybe it would be cleaner if the client code failed immediately when asked
> to map a host to a realm but was unable to?  An error like "unable to find
> realm for host 192.0.2.1 (rails.api.example.com)" would have been easier for
> me to interpret.

The code could, I suppose, try to determine whether API.EXAMPLE.COM is
actually a Kerberos realm, and then fall back to the default realm.
That has its own pitfalls, though; if API.EXAMPLE.COM ever became a
realm (through SRV records, say), you'd get an unexpected behavior
change.

In any event, I've committed a change for 1.9 which would make the error
message from the keytab lookup more informative:

  No key table entry found for HTTP/rails.api.example.com at API.EXAMPLE.COM





More information about the Kerberos mailing list