[krbdev.mit.edu #6516] Re: Reading kerberos-adm from DNS (PATCH)
megacz@cs.berkeley.edu via RT
rt-comment at krbdev.mit.edu
Sun Jun 21 13:42:06 EDT 2009
The following message is a courtesy copy of an article
that has been posted to gmane.comp.encryption.kerberos.general,gmane.comp.encryption.kerberos.devel as well.
It seems that this patch didn't wind up in the recent kerberos
release. Do you think somebody could review it for inclusion soon, so
that it has a chance of making it into the next release? If any
changes need to be made, please let me know and I will make them.
Thanks!
- a
Ken Raeburn <raeburn at mit.edu> writes:
> Sure. :)
> At first glance it looks good, but I want to have a closer look
> before committing it (unless someone else gets to it first). Thanks
> for sending it in!
>
> Adam Megacz <megacz at cs.berkeley.edu> writes:
> > Hi, would it be possible for the Kerberos maintainers to consider the
> > patch below for inclusion in the main libkadm5 distribution?
> >
> > - a
> >
> > Adam Megacz <megacz at cs.berkeley.edu> writes:
> >> Ken Raeburn <raeburn at mit.edu> writes:
> >>>> I believe the future has already arrived. Current MIT code should
> >>>> be capable of finding and using records like this:
> >>>>
> >>>> spam% dig _kerberos-adm._tcp.umich.edu srv
> >>>
> >>> This is used for the password-changing service, but unfortunately the
> >>> RPC code used for the kadmin program still looks up admin_server, and
> >>> uses the first IP address found when looking up that hostname. No
> >>> DNS, one hostname, one address, no service-location plugin support,
> >>> no IPv6. These do need to be fixed....
> >>
> >> This should help.
> >>
> >> - a
> >>
> >>
> >> diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
> >> index bb87f88..48b1792 100644
> >> --- a/src/lib/kadm5/alt_prof.c
> >> +++ b/src/lib/kadm5/alt_prof.c
> >> @@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
> >> params.admin_server = strdup(params_in->admin_server);
> >> if (params.admin_server)
> >> params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> - } else if (aprofile &&
> >> - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
> >> - params.admin_server = svalue;
> >> - params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + } else if (aprofile) {
> >> + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
> >> + params.admin_server = svalue;
> >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + } else {
> >> + struct addrlist addrlist;
> >> + int i;
> >> + krb5_data drealm;
> >> + drealm.data = (void*)params.realm;
> >> + drealm.length = strlen(params.realm);
> >> + if (!krb5int_locate_server(context, &drealm, &addrlist, 0,
> >> + "admin_server", "_kerberos-adm", 1,
> >> + DEFAULT_KPASSWD_PORT, 0, 0)) {
> >> + for (i=0;i<addrlist.naddrs;i++ ) {
> >> + struct addrinfo *a = addrlist.addrs[i];
> >> + if (a->ai_family == AF_INET) {
> >> + params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr));
> >> + params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port);
> >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + params.mask |= KADM5_CONFIG_KADMIND_PORT;
> >> + break;
> >> + }
> >> + }
> >> + }
> >> + }
> >> }
> >> if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
> >> char *p;
> >>
> >> ________________________________________________
> >> Kerberos mailing list Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >
> > --
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
>
More information about the krb5-bugs
mailing list