[
https://issues.apache.org/jira/browse/KUDU-2032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127859#comment-16127859
]
Todd Lipcon commented on KUDU-2032:
-----------------------------------
Just dropping a few more notes from more reading I did today:
There are actually two relevant krb5 configs related to service name
canonicalization: *dns_canonicalize_hostname* and *rdns*
- *dns_canonicalize_hostname* seems to be rarely changed from its default
(true). If this is set, krb5 calls getaddrinfo(host) with AI_CANONNAME set, and
then uses the returned 'canonhost' if set.
- *rdns* - if set, and the previous DNS query returned an address, then it does
a reverse lookup using getnameinfo(), and if that succeeds, uses that instead
to replace the above 'canonhost'.
The code is in the {{canon_hostname}} function in {{sn2princ.c}} file in the
krb5 source.
> Kerberos authentication fails with rdns disabled in krb5.conf
> -------------------------------------------------------------
>
> Key: KUDU-2032
> URL: https://issues.apache.org/jira/browse/KUDU-2032
> Project: Kudu
> Issue Type: Bug
> Components: security
> Affects Versions: 1.3.1, 1.4.0
> Reporter: Todd Lipcon
> Priority: Critical
>
> Currently if 'rnds = false' is configured in krb5.conf, Kudu ends up using
> the IP addresses of remote hosts instead of the hostnames. This means that it
> will look for krb5 principals by IP, even if actual hostnames have been
> passed instead.
> This prevents krb5 from working properly in most environments where
> rdns=false is set.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
