[32906] in Kerberos
Re: Problems with kprop and incremental propagation - works but
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Nov 15 19:14:11 2010
From: Greg Hudson <ghudson@mit.edu>
To: Matej Zagiba <zagiba@fmph.uniba.sk>
In-Reply-To: <4CDBF054.4070207@fmph.uniba.sk>
Date: Mon, 15 Nov 2010 19:14:04 -0500
Message-ID: <1289866444.2633.1187.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I can confirm two bugs that you have encountered and worked around:
1. kprop uses krb5_sname_to_principal() to determine its client
principal, and does not understand the referral realm. So it does not
work without a -r parameter unless the profile's domain_realm section
can map the local hostname. You worked around this by correcting your
existing domain_realm section in your profile.
A reasonable, if not perfect, fix here is to do what kpropd does in a
similiar piece of code: substitute the default realm for the referral
realm when using the result of krb5_sname_to_principal() as a client
principal.
2. kpropd, when processing incremental updates, modifies the KDB using
ulog_replay(), but does not initialize its context to use the KDC
profile, so it uses only settings from krb5.conf to find the KDB. You
worked around this with symlinks. An alternative workaround would be to
put the KDB configuration into krb5.conf instead of kdc.conf. (In the
past, it used to be required to put KDB configuration into krb5.conf.
That odd requirement was relaxed somewhere around krb5 1.5 for most
programs which run on the KDC, but a few have escaped the net, including
kpropd.)
I will open issues for both bugs and try to get them fixed for 1.9.
Thanks for your investigative work.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
