[32351] in Kerberos

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

bug: krb5_get_host_realm() no longer uses DNS

daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Mon May 17 13:17:51 2010

From: "Richard E. Silverman" <res@qoxp.net>
Message-ID: <m239xt8ttp.fsf@darwin.oankali.net>
MIME-Version: 1.0
X-Complaints-To: abuse@thundernews.com
Date: Sat, 15 May 2010 04:14:58 -0400
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu


Somewhere between 1.5.4 and 1.8.1, this code was removed from
krb5_get_host_realm() and moved to krb5_get_fallback_host_realm():

#ifdef KRB5_DNS_LOOKUP
    if (_krb5_use_dns_realm(context)) {
        cp = local_host;
        do {
            retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
            cp = strchr(cp,'.');
            if (cp)
                cp++;
        } while (retval && cp && cp[0]);
    }
#endif /* KRB5_DNS_LOOKUP */

... leaving krb5_get_host_realm() unable to use the DNS for realm
mapping.  Since the functions most used for obtaining tickets, in
lib/krb5/krb/gc_frm_kdc.c, use krb5_get_fallback_host_realm(), clients
still work -- but servers can break.  If a server determines its realm via
a TXT record, e.g. for gss_acquire_cred(), then it now fails where it
worked in earlier versions (this has bitten me with OpenSSH).

Am I missing something, or is this just a bug?

-- 
  Richard Silverman
  res@qoxp.net

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home	help	back	first	fref	pref	prev	next	nref	lref	last	post