Hi,
On Sun, Oct 18, 2015 at 3:03 AM, Wenlong Dong <[email protected]> wrote:
> Hi,
>
> When Curl forms the service principal given the service name, it simply
> formats the service principal name with "<service_name>/<host_name>" in
> Curl_sasl_build_spn. The "<host_name>" is basically the host name part of
> the URL. So if the host name is an IP address, the SPN would be wrong
> according to the following doc:
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
>>> In the case of a host, the instance is the fully qualified hostname,
>>> e.g., daffodil.mit.edu.
>
> Because of this, the kerberos ticket generated by KDC is unusable by the
> service. What's worse is that JDK would pass on calling
> GSSContext.acceptSecContext() silently but in fact it could not even get the
> client's principal name. This affects SPNEGO scenario for libcurl.
>
> Could libcurl perform a reverse DNS lookup to get the fully qualified
> hostname?
I think you might be able to achieve this at the KRB library level
('rdns=true' under 'libdefaults' in 'krb5.conf').
HTH
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
