[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain/realm-mapping

To: Assar Westerlund <assar@sics.se>
Subject: Re: domain/realm-mapping
From: Holger van Lengerich <gimli@uni-paderborn.de>
Date: Mon, 6 Dec 1999 14:25:43 +0100 (MET)
cc: "'heimdal-discuss@sics.se'" <heimdal-discuss@sics.se>
In-Reply-To: <5lpuwlo5tb.fsf@foo.sics.se>
Sender: owner-heimdal-discuss@sics.se

On 5 Dec 1999, Assar Westerlund wrote:

> Heimdal does a gethostbyname() to figure out the FQDN of a host.
> There's basically no other way.

> b. adding aliases with FQDN in your YP databases.  That should mean
:
> What b) solve your problems?  If so, can you try it and tell me if it
> works for you?

No, doesn't work (0.2d), since krb5_sname_to_principal()
(in ./lib/krb5/principal.c) does it's own translation instead of using
krb5_expand_hostname(). 

BTW: krb5_expand_hostname(), tries only the 1st supplied alias.

I developed a patch (see attachment) for heimdal 0.2d:

- krb5_sname_to_principal():  uses krb5_expand_hostname() instead of doing
			      lookup itself
- krb5_expand_hostname():     get FQDN via DNS, if it is not found by
                              getipnodebyname().

...AND NOW SOMETHING COMPLETELY DIFFERENT: <changing servicekeys>
> There's currently no good way of doing that.  I'm implementing `ktutil
> change'.

Cool! ;-)

Regards, 
   Holger

BTW: Anyone interested in Heimdal-Patch for pine-4.21 & uw-imapd 4.7? 
----------------------------------------------------------------------------
 Holger van Lengerich - University of Paderborn - Dept. of Computer Science
  System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany
   mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli

diff -r heimdal-0.2d/lib/krb5/expand_hostname.c heimdal-0.2d.new/lib/krb5/expand_hostname.c
39a40,43
> #ifdef HAVE_ARPA_NAMESER_H
> #include <arpa/nameser.h>
> #endif
> #include <resolve.h> 
48,51c52,56
<     struct hostent *he = NULL;
<     int error;
<     char *tmp;
< 
---
>   struct hostent *he = NULL;
>   int error;
>   struct dns_reply *r;
>   struct resource_record *rr;  
>   
53,58c58,63
<     {
< 	struct in6_addr sin6;
< 
< 	if (he == NULL && inet_pton (AF_INET6, orig_hostname, &sin6) == 1)
< 	    he = getipnodebyaddr (&sin6, sizeof(sin6), AF_INET6, &error);
<     }
---
>   {
> 	 struct in6_addr sin6;
> 	 
> 	 if (he == NULL && inet_pton (AF_INET6, orig_hostname, &sin6) == 1)
> 		he = getipnodebyaddr (&sin6, sizeof(sin6), AF_INET6, &error);
>   }
60,65c65,69
<     {
< 	struct in_addr sin;
< 
< 	if (he == NULL && inet_pton (AF_INET, orig_hostname, &sin) == 1)
< 	    he = getipnodebyaddr (&sin, sizeof(sin), AF_INET, &error);
<     }
---
>   {
> 	 struct in_addr sin;
> 	 if (he == NULL && inet_pton (AF_INET, orig_hostname, &sin) == 1)
> 		he = getipnodebyaddr (&sin, sizeof(sin), AF_INET, &error);
>   }
67,68c71,72
<     if (he == NULL)
< 	he = getipnodebyname (orig_hostname, AF_INET6, 0, &error);
---
>   if (he == NULL)
> 	 he = getipnodebyname (orig_hostname, AF_INET6, 0, &error);
70,89c74,126
<     if (he == NULL)
< 	he = getipnodebyname (orig_hostname, AF_INET, 0, &error);
< 
<     if (he == NULL) {
< 	*new_hostname = strdup (orig_hostname);
< 	if (*new_hostname == NULL)
< 	    return ENOMEM;
< 	return 0;
<     }
<     tmp = he->h_name;
<     if (strchr (tmp, '.') == NULL
< 	&& he->h_aliases != NULL
< 	&& he->h_aliases[0] != NULL
< 	&& strchr (he->h_aliases[0], '.') != NULL)
< 	tmp = he->h_aliases[0];
<     *new_hostname = strdup (tmp);
<     freehostent (he);
<     if (*new_hostname == NULL)
< 	return ENOMEM;
<     return 0;
---
>   if (he == NULL)
> 	 he = getipnodebyname (orig_hostname, AF_INET, 0, &error);
>   
>   if (he == NULL)                   /* no results from getipnodebyname */
> 	 {
> 		*new_hostname = strdup (orig_hostname);
> 		freehostent(he);
> 		if (*new_hostname == NULL)
> 		  return ENOMEM;
> 		return 0;
> 	 }
>   if (strchr(he->h_name, '.') != NULL) /* Does he->h_name contain FQDN */
> 	 {                              
> 		*new_hostname=strdup(he->h_name);
> 		freehostent(he);
> 		if (*new_hostname == NULL)
> 		  return ENOMEM;
> 		return 0;
> 	 }
>   if (he->h_aliases != NULL 	           /* if he->aliases[0] is set, */
> 		&& he->h_aliases[0] != NULL            /* does it contain fqdn? */
> 		&& strchr (he->h_aliases[0], '.') != NULL)
> 	 {
> 		*new_hostname = strdup (he->h_aliases[0]);
> 		freehostent(he);
> 		if (*new_hostname == NULL)
> 		  return ENOMEM;
> 		return 0;
> 	 }
>   
>   r=dns_lookup(he->h_name,"A");
>   if (r != NULL)                          /* results from dns_lookup ? */
> 	 {
> 		rr = r->head;
> 		while(rr && rr->type != T_A)                /* scan for 1st A RR */
> 		  rr = rr->next;
> 		if (rr != NULL)                                    /* A RR found */
> 		  {
> 			 *new_hostname = strdup(rr->domain);
> 			 freehostent (he);
> 			 dns_free_data(r);  
> 			 if (*new_hostname == NULL)
> 				  return ENOMEM;
> 			 return 0;
> 		  }
> 		dns_free_data(r);
> 	 }
> 	 
>   *new_hostname=strdup(he->h_name); /* fall back: use unqualified hostname */ 
>   freehostent (he);                 
>   if (*new_hostname == NULL)    
> 	 return ENOMEM;
>   return 0;
diff -r heimdal-0.2d/lib/krb5/principal.c heimdal-0.2d.new/lib/krb5/principal.c
869,917c869,898
<     krb5_error_code ret;
<     char localhost[128];
<     char **realms, *host = NULL;
<     struct hostent *hp = NULL;
< 	
<     if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN)
< 	return KRB5_SNAME_UNSUPP_NAMETYPE;
<     if(hostname == NULL){
< 	gethostname(localhost, sizeof(localhost));
< 	hostname = localhost;
<     }
<     if(sname == NULL)
< 	sname = "host";
<     if(type == KRB5_NT_SRV_HST) {
< 	int error;
< 
< #ifdef HAVE_IPV6
< 	if (hp == NULL)
< 	    hp = getipnodebyname (hostname, AF_INET6, 0, &error);
< #endif
< 	if (hp == NULL)
< 	    hp = getipnodebyname (hostname, AF_INET, 0, &error);
< 	if(hp != NULL)
< 	    hostname = hp->h_name;
<     }
<     if(type == KRB5_NT_SRV_HST) {
< 	host = strdup(hostname);
< 	if(host == NULL){
< 	    if (hp != NULL)
< 		freehostent (hp);
< 	    return ENOMEM;
< 	}
< 	strlwr(host);
< 	hostname = host;
<     }
<     ret = krb5_get_host_realm(context, hostname, &realms);
<     if(ret) {
< 	if (hp != NULL)
< 	    freehostent (hp);
< 	return ret;
<     }
<     ret = krb5_make_principal(context, ret_princ, realms[0], sname,
< 			      hostname, NULL);
<     if(host)
< 	free(host);
<     if (hp)
< 	freehostent (hp);
<     krb5_free_host_realm(context, realms);
<     return ret;
---
>   krb5_error_code ret;
>   char localhost[128];
>   char **realms, *host = NULL;
>   
>   if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN)
> 	 return KRB5_SNAME_UNSUPP_NAMETYPE;
>   if(hostname == NULL){
> 	 gethostname(localhost, sizeof(localhost));
> 	 hostname = localhost;
>   }
>   if(sname == NULL)
> 	 sname = "host";
>   if(type == KRB5_NT_SRV_HST) {
> 	 int error;
> 	 ret = krb5_expand_hostname(context, hostname, &host);
> 	 if (ret) {
> 		return ret;
> 	 }
> 	 hostname=host;
>   }
>   ret = krb5_get_host_realm(context, hostname, &realms);
>   if(ret) {
> 	 return ret;
>   }
>   ret = krb5_make_principal(context, ret_princ, realms[0], sname,
> 									 hostname, NULL);
>   if(host)
> 	 free(host);
>   krb5_free_host_realm(context, realms);
>   return ret;

Follow-Ups:
- Re: domain/realm-mapping
  - From: Assar Westerlund <assar@sics.se>

References:
- Re: domain/realm-mapping
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: domain/realm-mapping
Next by Date: Kerberos vs. TACACS+ authentication
Prev by thread: Re: domain/realm-mapping
Next by thread: Re: domain/realm-mapping
Index(es):
- Date
- Thread