diff options
| author | Greg Hudson <ghudson@mit.edu> | 2020-07-30 12:14:27 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-08-04 15:39:37 -0400 |
| commit | ac2b693d0ec464e0bcda4953acd79f201169f396 (patch) | |
| tree | 2a9364167670b2365edcbd35c711a3b11ab50fd3 /src/plugins | |
| parent | 1d282badfbd6098e3db9d50d22d565c2ec3c8c47 (diff) | |
| download | krb5-ac2b693d0ec464e0bcda4953acd79f201169f396.zip krb5-ac2b693d0ec464e0bcda4953acd79f201169f396.tar.gz krb5-ac2b693d0ec464e0bcda4953acd79f201169f396.tar.bz2 | |
Don't create hostbased principals in new KDBs
Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts. Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS. Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.
kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.
ticket: 8935 (new)
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 35 |
1 files changed, 1 insertions, 34 deletions
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index c21d199..ae1afd4 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -307,29 +307,6 @@ create_fixed_special(krb5_context context, struct realm_info *rinfo, } -/* Create a special principal using one specified component and the - * canonicalized local hostname. */ -static krb5_error_code -create_hostbased_special(krb5_context context, struct realm_info *rinfo, - krb5_keyblock *mkey, const char *comp1) -{ - krb5_error_code ret; - krb5_principal princ = NULL; - - ret = krb5_sname_to_principal(context, NULL, comp1, KRB5_NT_SRV_HST, - &princ); - if (ret) - goto cleanup; - ret = krb5_set_principal_realm(context, princ, global_params.realm); - if (ret) - goto cleanup; - ret = kdb_ldap_create_principal(context, princ, TGT_KEY, rinfo, mkey); - -cleanup: - krb5_free_principal(context, princ); - return ret; -} - /* Create all special principals for the realm. */ static krb5_error_code create_special_princs(krb5_context context, krb5_principal master_princ, @@ -360,22 +337,12 @@ create_special_princs(krb5_context context, krb5_principal master_princ, if (ret) return ret; - /* Create kadmin/admin and kadmin/<hostname>. */ + /* Create kadmin/admin. */ rblock.max_life = ADMIN_LIFETIME; rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; ret = create_fixed_special(context, &rblock, mkey, "kadmin", "admin"); if (ret) return ret; - ret = create_hostbased_special(context, &rblock, mkey, "kadmin"); - if (ret) - return ret; - - /* Create kiprop/<hostname>. */ - rblock.max_life = global_params.max_life; - rblock.flags = 0; - ret = create_hostbased_special(context, &rblock, mkey, "kiprop"); - if (ret) - return ret; /* Create kadmin/changepw. */ rblock.max_life = CHANGEPW_LIFETIME; |