Feature request for kprop
Greg Hudson
ghudson at MIT.EDU
Wed Aug 7 13:54:32 EDT 2013
On 08/07/2013 11:11 AM, Michael Raitza wrote:
> when using the kprop client to sync kerberos databases the hostname used
> for the acquiring the service's principal is left unspecified. Depending
> on the server configuration the wrong hostname is resolved for the
> service and authentication fails accordingly. E.g. having a host with
> name `a' (according to its local knowledge, DNS A record) and a DNS
> service record pointing to `krb-a' (another A record) which itself
> points to the host's IP address. The correct resolution would be `krb-a'
> for the kprop service but `a' is actually resolved.
I'm not quite sure what you mean here. It's usually possible to adjust
the host's local configuration such that the hostname canonicalizes to
the correct value.
The default canonicalization procedure is to resolve with getaddrinfo()
and then try to reverse-resolve the first returned address with
getnameinfo(). (We'd like to get rid of the second step, but it could
break existing deployments. It can be turned off with "rdns = false" in
[libdefaults].) If /etc/hosts has an entry like:
127.0.1.1 equal-rites.mit.edu equal-rites
(the IP address isn't important) then the first step will canonicalize
the host's short name to its FQDN, and the second step will return the
same FQDN.
> My suggested fix is to have a command-line option to select the hostname
> to be used by kprop.
Perhaps an option to select the principal name would be better.
> I have a patch at hand and my only question is how to proceed from here?
Please see http://k5wiki.kerberos.org/wiki/Contributing_code
More information about the Kerberos
mailing list