subject:"\[jira\] \[Commented\] \(KUDU\-2032\) Kerberos authentication fails with rdns disabled in krb5.conf"

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

2017-10-05 Thread Attila Bukor (JIRA)


[ 
https://issues.apache.org/jira/browse/KUDU-2032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16193677#comment-16193677
 ] 

Attila Bukor commented on KUDU-2032:


it seems this has been merged into branch-1.4.x and branch-1.3.x now

> Kerberos authentication fails with rdns disabled in krb5.conf
> -
>
> Key: KUDU-2032
> URL: https://issues.apache.org/jira/browse/KUDU-2032
> Project: Kudu
>  Issue Type: Bug
>  Components: security
>Affects Versions: 1.3.1, 1.4.0
>Reporter: Todd Lipcon
>Assignee: Todd Lipcon
>Priority: Critical
> Fix For: 1.5.0
>
>
> Currently if 'rnds = false' is configured in krb5.conf, Kudu ends up using 
> the IP addresses of remote hosts instead of the hostnames. This means that it 
> will look for krb5 principals by IP, even if actual hostnames have been 
> passed instead.
> This prevents krb5 from working properly in most environments where 
> rdns=false is set.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

2017-08-15 Thread Todd Lipcon (JIRA)


[ 
https://issues.apache.org/jira/browse/KUDU-2032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16127869#comment-16127869
 ] 

Todd Lipcon commented on KUDU-2032:
---

Wrote a quick program to test out the different behavior of the configs on a 
few domain names: https://gist.github.com/a2ca8c434c14520e10da65d47e50e350

{code}
www.cloudera.com

-canon  -rdns   www.cloudera.com
-canon  +rdns   www.cloudera.com
+canon  -rdns   aem-prod-external-elb-1751714427.us-west-1.elb.amazonaws.com
+canon  +rdns   ec2-52-52-88-106.us-west-1.compute.amazonaws.com

localhost

-canon  -rdns   localhost
-canon  +rdns   localhost
+canon  -rdns   localhost
+canon  +rdns   localhost

127.0.0.1

-canon  -rdns   127.0.0.1
-canon  +rdns   127.0.0.1
+canon  -rdns   127.0.0.1
+canon  +rdns   localhost
{code}

> Kerberos authentication fails with rdns disabled in krb5.conf
> -
>
> Key: KUDU-2032
> URL: https://issues.apache.org/jira/browse/KUDU-2032
> Project: Kudu
>  Issue Type: Bug
>  Components: security
>Affects Versions: 1.3.1, 1.4.0
>Reporter: Todd Lipcon
>Priority: Critical
>
> Currently if 'rnds = false' is configured in krb5.conf, Kudu ends up using 
> the IP addresses of remote hosts instead of the hostnames. This means that it 
> will look for krb5 principals by IP, even if actual hostnames have been 
> passed instead.
> This prevents krb5 from working properly in most environments where 
> rdns=false is set.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

2017-08-15 Thread Todd Lipcon (JIRA)


[ 
https://issues.apache.org/jira/browse/KUDU-2032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16127859#comment-16127859
 ] 

Todd Lipcon commented on KUDU-2032:
---

Just dropping a few more notes from more reading I did today:

There are actually two relevant krb5 configs related to service name 
canonicalization: *dns_canonicalize_hostname* and *rdns*

- *dns_canonicalize_hostname* seems to be rarely changed from its default 
(true). If this is set, krb5 calls getaddrinfo(host) with AI_CANONNAME set, and 
then uses the returned 'canonhost' if set.
- *rdns* - if set, and the previous DNS query returned an address, then it does 
a reverse lookup using getnameinfo(), and if that succeeds, uses that instead 
to replace the above 'canonhost'.

The code is in the {{canon_hostname}} function in {{sn2princ.c}} file in the 
krb5 source.

> Kerberos authentication fails with rdns disabled in krb5.conf
> -
>
> Key: KUDU-2032
> URL: https://issues.apache.org/jira/browse/KUDU-2032
> Project: Kudu
>  Issue Type: Bug
>  Components: security
>Affects Versions: 1.3.1, 1.4.0
>Reporter: Todd Lipcon
>Priority: Critical
>
> Currently if 'rnds = false' is configured in krb5.conf, Kudu ends up using 
> the IP addresses of remote hosts instead of the hostnames. This means that it 
> will look for krb5 principals by IP, even if actual hostnames have been 
> passed instead.
> This prevents krb5 from working properly in most environments where 
> rdns=false is set.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

[jira] [Commented] (KUDU-2032) Kerberos authentication fails with rdns disabled in krb5.conf

3 matches

Site Navigation

Mail list logo

Footer information