Kadmin service principal revisited
jhutz at cmu.edu
Fri Aug 29 17:46:36 EDT 2003
On Friday, August 29, 2003 15:48:52 -0500 "Douglas E. Engert"
<deengert at anl.gov> wrote:
> Sam Hartman wrote:
>> Greetings. As you may recall we agreed some time early this year that
>> we would change the kadmin service principal from kadmin/admin at REALM
>> to kadmin/hostname at REALM in order to be compatible with Sun as we
>> picked up the the new RPC code.
>> Having audited many of the related patches, I'd like to revisit this
>> This change seems to have a number of negative effects. First, it
>> assumes than the hostname returned by gethostname() is related to the
>> name of the interface on which clients will connect. I.E. it assumes
>> that gethostbyname(gethostname()) will give you right principal
>> component to use.
> But isn't this the same situation we have when contacting a multi-homed
> host using the host/hostname principal? There does not appear to
> be any difference with this service as with any other service in the use
> of hostnames.
> Also I thought the name would come from the krb5.conf or srv records,
> so should have a full name.
Indeed, I don't see any need to call gethostname() here. Clients should
use the hostname they got from DNS or configuration or whatever (this is
safe since we are assuming that kadmin/* will only exist for valid admin
servers). The server should accept tickets for any kadmin/* principal in
its keytab (note that this also provides compatibility with clients that
are expecting to use kadmin/admin, as long as you put that in the admin
server's keytab. Just don't deploy a multi-master setup this way!)
Of course, the administrator who creates the keytab will have to know the
correct names to use, but he usually will. In cases where configuration of
the admin server is automatic, it is likely that
gethostbyname(gethostname()) will do the right thing, and there are fancier
techniques that can be used if desired, such as using SIOCGIFADDR or a
connected UDP socket to find out one's own IP address.
More information about the krbdev