> This is used for the password-changing service, but unfortunately the > RPC code used for the kadmin program still looks up admin_server, and > uses the first IP address found when looking up that hostname. No > DNS, one hostname, one address, no service-location plugin support, > no IPv6. These do need to be fixed....
That's sad. But you're right, there is a kadm5_config_params structure which contains the field char * admin_server which can be set by krb5/src/kadmin/cli/kadmin.c (as a command line "here is the server" option), or by krb5/src/lib/kadm5/alt_prof.c based on krb5.conf stuff, [realms] XXX = { admin_server = YYY } It's used by krb5/src/lib/kadm5/clnt/client_init.c where the string is used as a parameter to gethostbyname -- and as you point out only the first address returned is passed as a parameter to clnttcp_create. Looks like it should be possible to use krb5int_locate_server(?, ?, ?, locate_service_kadmin, SOCK_STREAM, AF_INET); (or, as you say, equivalent IPv6 logic,) presumably followed by some sort of loop based on whatever comes back in addrlist, looping to connect, and returning the first connection that also succeeds with clnttcp_create, plus some sort of application hook for "kadmin -s host:port" to override the behavior of krb5int_locate_server. IPv6 support raises the question of an IPv6 portmapper, even though your code doesn't actually need this... -Marcus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos