Kadmin service principal revisited

Jeffrey Hutzelman jhutz at cmu.edu
Fri Aug 29 17:46:36 EDT 2003

On Friday, August 29, 2003 15:48:52 -0500 "Douglas E. Engert" 
<deengert at anl.gov> wrote:

> Sam Hartman wrote:
>> Greetings.  As you may recall we agreed some time early this year that
>> we would change the kadmin service principal from kadmin/admin at REALM
>> to kadmin/hostname at REALM in order to be compatible with Sun as we
>> picked up the the new RPC code.
>> Having audited many of  the related patches, I'd like to revisit this
>> decision.
>> This change seems to have a number of negative effects.  First, it
>> assumes than the hostname returned by gethostname() is related to the
>> name of the interface on which clients will connect.  I.E. it assumes
>> that gethostbyname(gethostname()) will give you right principal
>> component to use.
> But isn't this the same situation we have when contacting a multi-homed
> host using the host/hostname principal? There does not appear to
> be any difference with this service as with any other service in the use
> of hostnames.
> Also I thought the name would come from the krb5.conf or srv records,
> so should have a full name.

Indeed, I don't see any need to call gethostname() here.  Clients should 
use the hostname they got from DNS or configuration or whatever (this is 
safe since we are assuming that kadmin/* will only exist for valid admin 
servers).  The server should accept tickets for any kadmin/* principal in 
its keytab (note that this also provides compatibility with clients that 
are expecting to use kadmin/admin, as long as you put that in the admin 
server's keytab.  Just don't deploy a multi-master setup this way!)

Of course, the administrator who creates the keytab will have to know the 
correct names to use, but he usually will.  In cases where configuration of 
the admin server is automatic, it is likely that 
gethostbyname(gethostname()) will do the right thing, and there are fancier 
techniques that can be used if desired, such as using SIOCGIFADDR or a 
connected UDP socket to find out one's own IP address.

-- Jeff

More information about the krbdev mailing list