Isaac and all, Does gssapi or libcurl allow per session setting for rdns lookup? Changing the rdns setting in machine-level krb5.conf has quite some impact normally.
Thanks, Bill On Sun, Oct 18, 2015 at 2:35 PM, Isaac Boukris <[email protected]> wrote: > > On Oct 19, 2015 12:20 AM, "Wenlong Dong" <[email protected]> wrote: > > > > Yeah, that works! Isaac, thanks a lot! Just curious, is this the right > to do this or should libcurl explicitly does the rnds lookup? The spn name > with the ip address is not a valid name anyway I guess. > > I think the gssapi library is a better place for name canonization. > > > On Sun, Oct 18, 2015 at 2:12 AM, Isaac Boukris <[email protected]> > wrote: > >> > >> Hi, > >> > >> On Sun, Oct 18, 2015 at 3:03 AM, Wenlong Dong <[email protected]> > wrote: > >> > Hi, > >> > > >> > When Curl forms the service principal given the service name, it > simply > >> > formats the service principal name with "<service_name>/<host_name>" > in > >> > Curl_sasl_build_spn. The "<host_name>" is basically the host name > part of > >> > the URL. So if the host name is an IP address, the SPN would be wrong > >> > according to the following doc: > >> > > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html > >> >>> In the case of a host, the instance is the fully qualified hostname, > >> >>> e.g., daffodil.mit.edu. > >> > > >> > Because of this, the kerberos ticket generated by KDC is unusable by > the > >> > service. What's worse is that JDK would pass on calling > >> > GSSContext.acceptSecContext() silently but in fact it could not even > get the > >> > client's principal name. This affects SPNEGO scenario for libcurl. > >> > > >> > Could libcurl perform a reverse DNS lookup to get the fully qualified > >> > hostname? > >> > >> I think you might be able to achieve this at the KRB library level > >> ('rdns=true' under 'libdefaults' in 'krb5.conf'). > >> > >> HTH > > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html >
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
