[38084] in Kerberos
Re: krb5
daemon@ATHENA.MIT.EDU (Earl Killian)
Thu Oct 19 12:40:53 2017
To: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
From: Earl Killian <kerberos@lists.killian.com>
Message-ID: <0c6cd3ee-aefc-945e-ffdf-9980c4552ff7@killian.com>
Date: Thu, 19 Oct 2017 09:40:07 -0700
MIME-Version: 1.0
In-Reply-To: <9ec1890f-ba56-5b74-23cb-a861d8d81282@mit.edu>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you for further detail. I wish that gethostname returned a FQDN,
but since I don't know the reason that people have decided that it not
do so, I probably shouldn't go that route.
I think the problem arises from glibc implementing
gethostname/getdomainname using uname(2), and that seems difficult to
change now.
I suppose you could add something to krb5.conf to provide the default
value to append to what gethostname() returns, but that seems not
sufficiently flexible to be worth the complication. Since krb5.conf is
per-machine, I suppose you could just have it specify the host principal
to use, and ignore gethostname() altogether.
-Earl
On 10/18/17 17:42, Greg Hudson wrote:
> On 10/17/2017 06:04 PM, Earl Killian wrote:
>> However, I would like to inquire
>> of the mailing list how things are supposed to work when those are set
>> to false as in the openSUSE distro.
> Not as easily as I would like. For the specific issue you mention, I
> think the only two workarounds are:
>
> 1. Create a principal "host/alpha" and put it in keytabs and ACL files
> alongside "host/alpha.killian.com".
>
> 2. Arrange for gethostname() to return the FQDN (alpha.killian.com)
> instead of just "alpha". This might have undesirable side effects as it
> would be a system-wide change.
>
> POSIX does not make it easy to get this right without risking using
> insecure DNS, although there are some improvements we could make (such
> as looking to see if there is exactly one search domain in _res.dnsrch,
> and expanding single-component hostnames using that domain if so).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
