On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:

> On 24.07.2017 19:40, Roland C. Dowdeswell wrote:
> >On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:
> >>
> >
> >>The Heimdal version identifies itself as 1.5.2. The main problem is that
> >>Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
> >>address, but goes to DNS, and fails.
> >
> >1.5.2 is quite old and, IIRC, I've seen this before.  You can work
> >around it by adding the kdc name with a dot at the end as an alias in
> >the hosts file.
> Thank you very much. That trick did it. It's weird, though. I would have
> likely never arrived at the same solution by myself.

It's a work-around in the Heimdal code which appends a trailing dot to
hostnames when looking them up to avoid the DNS search path specified
in /etc/resolv.conf.  Viktor and I discussed relaxing this yesterday
because we believe that it is counter-intuitive.  It certainly confused
me, but I worked it out by reading the code rather than the documentation.
The approach that we think will work in the short term is to append the
trailing dot iff the hostname came from DNS SRV RRs as they should not
honour the DNS search path.  The existing behaviour will be able to be
replicated by those who are using /etc/krb5.conf by appending their own
trailing dot to the configured names.

In the longer term, we should likely stop using getaddrinfo(3) for names
obtained from DNS SRV RRs and directly query DNS for them as this matches
expectations.  That is: you wouldn't expect that if you find

_kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm

that an entry for foo.my.realm in /etc/hosts would then override the
DNS for it.

    Roland C. Dowdeswell

Reply via email to