Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input

Sam Hartman hartmans at MIT.EDU
Fri Oct 14 10:04:42 EDT 2011 

I'd like to propose that if krb5_sname_to_principal fails to look
something up in dns, it assume it's canonical form.  There are a number
of cases where you might want a principal event though you cannot
connect to the host. For example you might be checking a principal with
kvno -S. You might be dealing with an acceptor principal even though
your dns is down.

This does change the error people will get but I think it improves
things and helps people who don't need to depend on DNS introduce
unneeded DNS dependencies.

>From 44c6e05f9c57605b22767b3178878fcd367fc473 Mon Sep 17 00:00:00 2001
From: Kevin Wasserman <kevin.wasserman at painless-security.com>
Date: Tue, 27 Sep 2011 23:02:37 -0400
Subject: [PATCH] sn2princ: On getaddrinfo failure use the input

RFC 4120 says that we should not canonicalize using DNS. We cannot get
that far today, but there's no reason we should fail to use a
perfectly good principal name just because DNS is failing. For some
services there isn't even a requirement they be in DNS. With
AI_ADDRCONFIG there's no reason that Kerberos canonicalization should
fail simply because a v6 address is not present, for example.  So, if
getaddrinfo fails in krb5_sname_to_principal simply use the input
hostname uncanonicalized.
---
 src/lib/krb5/os/sn2princ.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index 46eab6c..8f8a0ce 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -109,17 +109,16 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char *
             err = getaddrinfo(hostname, 0, &hints, &ai);
             if (err) {
 #ifdef DEBUG_REFERRALS
-                printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
+                printf("sname_to_princ: failed to canonicalize %s; using as-is", hostname);
 #endif
-                return KRB5_ERR_BAD_HOSTNAME;
             }
-            remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
+            remote_host = strdup((ai && ai->ai_canonname) ? ai->ai_canonname : hostname);
             if (!remote_host) {
                 freeaddrinfo(ai);
                 return ENOMEM;
             }
 
-            if (maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) {
+            if ((!err) && maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) {
                 /*
                  * Do a reverse resolution to get the full name, just in
                  * case there's some funny business going on.  If there
-- 
1.7.4.1

More information about the krbdev mailing list