Yeah, that works! Isaac, thanks a lot! Just curious, is this the right to do this or should libcurl explicitly does the rnds lookup? The spn name with the ip address is not a valid name anyway I guess.
Best regards, Bill On Sun, Oct 18, 2015 at 2:12 AM, Isaac Boukris <[email protected]> wrote: > Hi, > > On Sun, Oct 18, 2015 at 3:03 AM, Wenlong Dong <[email protected]> wrote: > > Hi, > > > > When Curl forms the service principal given the service name, it simply > > formats the service principal name with "<service_name>/<host_name>" in > > Curl_sasl_build_spn. The "<host_name>" is basically the host name part of > > the URL. So if the host name is an IP address, the SPN would be wrong > > according to the following doc: > > > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html > >>> In the case of a host, the instance is the fully qualified hostname, > >>> e.g., daffodil.mit.edu. > > > > Because of this, the kerberos ticket generated by KDC is unusable by the > > service. What's worse is that JDK would pass on calling > > GSSContext.acceptSecContext() silently but in fact it could not even get > the > > client's principal name. This affects SPNEGO scenario for libcurl. > > > > Could libcurl perform a reverse DNS lookup to get the fully qualified > > hostname? > > I think you might be able to achieve this at the KRB library level > ('rdns=true' under 'libdefaults' in 'krb5.conf'). > > HTH > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
