[krbdev.mit.edu #8935] git commit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8935] git commit

Greg Hudson via RT

Tue Aug 04 17:58:48 2020: Request 8935 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: git commit
       Owner: [hidden email]
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935 >

Don't create hostbased principals in new KDBs

Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts.  Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS.  Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.

kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.

Author: Greg Hudson <[hidden email]>
Commit: ac2b693d0ec464e0bcda4953acd79f201169f396
Branch: master
 src/kadmin/dbutil/kadm5_create.c                 |   52 ++-------------------
 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c |   35 +--------------
 src/tests/dejagnu/krb-standalone/kadmin.exp      |    7 ++-
 src/tests/t_iprop.py                             |    1 +
 src/tests/t_kadmin_acl.py                        |    1 +
 5 files changed, 12 insertions(+), 84 deletions(-)

krb5-bugs mailing list
[hidden email]