[32793] in Kerberos
Re: What are the issues with dns_lookup_realm ?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Oct 11 12:55:06 2010
From: Greg Hudson <ghudson@mit.edu>
To: Brian Candler <B.Candler@pobox.com>
In-Reply-To: <20101011142252.GA5597@talktalkplc.com>
Date: Mon, 11 Oct 2010 12:54:57 -0400
Message-ID: <1286816097.19112.246.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
> - mod_auth_kerb tries to find realm for rails.api.example.com
> (the virtual server hostname), via DNS lookups
> - mod_auth_kerb fails to find one
> - mod_auth_kerb looks for something duff like "HTTP/rails.api.example.com@"
> in its keytab, and fails
I doubt it's actually failing. It's probably falling back to
API.EXAMPLE.COM as the best available heuristic; that happens to be the
wrong answer.
> ''The misunderstanding here is that "the default realm" is not the default
> for host-to-realm mappings. It's the default for parsing principal
> names which don't contain realms--for example, if you "kinit bcandler"
> instead of "kinit bcandler at EXAMPLE.COM".''
I'm actually a little surprised that mod_auth_kerb is doing a
host-to-realm lookup instead of just using the default realm for the
verification service principal. I guess in some virtual host settings,
that's desirable.
> Maybe it would be cleaner if the client code failed immediately when asked
> to map a host to a realm but was unable to? An error like "unable to find
> realm for host 192.0.2.1 (rails.api.example.com)" would have been easier for
> me to interpret.
The code could, I suppose, try to determine whether API.EXAMPLE.COM is
actually a Kerberos realm, and then fall back to the default realm.
That has its own pitfalls, though; if API.EXAMPLE.COM ever became a
realm (through SRV records, say), you'd get an unexpected behavior
change.
In any event, I've committed a change for 1.9 which would make the error
message from the keytab lookup more informative:
No key table entry found for HTTP/rails.api.example.com@API.EXAMPLE.COM
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
