Revert qualify_shortname changes
This commit is contained in:
parent
d314641a26
commit
710f626f12
@ -1,4 +1,4 @@
|
|||||||
From 3e92520c1417f22447751cd9172d5ab30c2e0ad8 Mon Sep 17 00:00:00 2001
|
From 5f98c9d9ff16f3760ac26304cfdb87bf53bc8628 Mon Sep 17 00:00:00 2001
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
Date: Fri, 20 Mar 2020 00:17:28 +0100
|
Date: Fri, 20 Mar 2020 00:17:28 +0100
|
||||||
Subject: [PATCH] Add channel bindings tests
|
Subject: [PATCH] Add channel bindings tests
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 2a08fe3d2d1972df4ffe37d4bb64b161889ff988 Mon Sep 17 00:00:00 2001
|
From bb7425941f5d84a53e30721c20fbfc714157f082 Mon Sep 17 00:00:00 2001
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
Date: Tue, 10 Mar 2020 13:13:17 +0100
|
Date: Tue, 10 Mar 2020 13:13:17 +0100
|
||||||
Subject: [PATCH] Add client_aware_channel_bindings option
|
Subject: [PATCH] Add client_aware_channel_bindings option
|
||||||
@ -20,10 +20,10 @@ ticket: 8900
|
|||||||
3 files changed, 98 insertions(+), 86 deletions(-)
|
3 files changed, 98 insertions(+), 86 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
||||||
index a7e7a29d1..7f2879640 100644
|
index 1d2aa7f68..1d8ffc1e4 100644
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
||||||
@@ -382,6 +382,12 @@ The libdefaults section may contain any of the following relations:
|
@@ -383,6 +383,12 @@ The libdefaults section may contain any of the following relations:
|
||||||
credentials will fail if the client machine does not have a
|
credentials will fail if the client machine does not have a
|
||||||
keytab. The default value is false.
|
keytab. The default value is false.
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From bedbb5ee1ad821b91f00d30361985e6863c0e6ba Mon Sep 17 00:00:00 2001
|
From 297857dec4f82a802caa734670b57f0a18d942e2 Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Sat, 11 Jul 2020 21:57:30 -0400
|
Date: Sat, 11 Jul 2020 21:57:30 -0400
|
||||||
Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens
|
Subject: [PATCH] Allow gss_unwrap_iov() of unpadded RC4 tokens
|
||||||
|
@ -1,371 +0,0 @@
|
|||||||
From 07179e38e5ee72e82ebc77a1c8d73e34905268b7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
|
||||||
Date: Wed, 27 May 2020 18:48:35 -0400
|
|
||||||
Subject: [PATCH] Default dns_canonicalize_hostname to "fallback"
|
|
||||||
|
|
||||||
This change should mitigate some of the pain caused by the rdns=true
|
|
||||||
default (generally associated with unwanted PTR records that cannot
|
|
||||||
easily be changed), with a minimum of fallout.
|
|
||||||
|
|
||||||
Update the documentation and tests accordingly. In test environments,
|
|
||||||
disable qualify_shortname and use the uncanonicalized system hostname
|
|
||||||
(lowercased) to match the initial sn2princ result.
|
|
||||||
|
|
||||||
ticket: 8911 (new)
|
|
||||||
---
|
|
||||||
doc/admin/appl_servers.rst | 14 +++---
|
|
||||||
doc/admin/conf_files/krb5_conf.rst | 9 ++--
|
|
||||||
doc/admin/princ_dns.rst | 44 +++++++++++--------
|
|
||||||
src/kadmin/testing/proto/krb5.conf.proto | 8 ++--
|
|
||||||
src/kadmin/testing/scripts/env-setup.shin | 4 +-
|
|
||||||
src/kadmin/testing/scripts/init_db | 3 +-
|
|
||||||
src/kadmin/testing/scripts/start_servers | 3 +-
|
|
||||||
.../testing/scripts/start_servers_local | 2 +-
|
|
||||||
.../kadm5/unit-test/api.current/init-v2.exp | 6 +--
|
|
||||||
src/lib/krb5/krb/init_ctx.c | 2 +-
|
|
||||||
src/tests/dejagnu/config/default.exp | 5 +--
|
|
||||||
src/tests/t_sn2princ.py | 5 ++-
|
|
||||||
src/util/k5test.py | 25 +++--------
|
|
||||||
13 files changed, 58 insertions(+), 72 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst
|
|
||||||
index 5232db9af..afdf30297 100644
|
|
||||||
--- a/doc/admin/appl_servers.rst
|
|
||||||
+++ b/doc/admin/appl_servers.rst
|
|
||||||
@@ -115,14 +115,12 @@ Getting DNS information correct
|
|
||||||
-------------------------------
|
|
||||||
|
|
||||||
Several aspects of Kerberos rely on name service. When a hostname is
|
|
||||||
-used to name a service, the Kerberos library canonicalizes the
|
|
||||||
-hostname using forward and reverse name resolution. (The reverse name
|
|
||||||
-resolution step can be turned off using the **rdns** variable in
|
|
||||||
-:ref:`libdefaults`.) The result of this canonicalization must match
|
|
||||||
-the principal entry in the host's keytab, or authentication will fail.
|
|
||||||
-
|
|
||||||
-Each host's canonical name must be the fully-qualified host name
|
|
||||||
-(including the domain), and each host's IP address must
|
|
||||||
+used to name a service, clients may canonicalize the hostname using
|
|
||||||
+forward and possibly reverse name resolution. The result of this
|
|
||||||
+canonicalization must match the principal entry in the host's keytab,
|
|
||||||
+or authentication will fail. To work with all client canonicalization
|
|
||||||
+configurations, each host's canonical name must be the fully-qualified
|
|
||||||
+host name (including the domain), and each host's IP address must
|
|
||||||
reverse-resolve to the canonical name.
|
|
||||||
|
|
||||||
Configuration of hostnames varies by operating system. On the
|
|
||||||
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
index 1d2aa7f68..a7e7a29d1 100644
|
|
||||||
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
||||||
@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations:
|
|
||||||
hostnames for use in service principal names. Setting this flag
|
|
||||||
to false can improve security by reducing reliance on DNS, but
|
|
||||||
means that short hostnames will not be canonicalized to
|
|
||||||
- fully-qualified hostnames. The default value is true.
|
|
||||||
-
|
|
||||||
- If this option is set to ``fallback`` (new in release 1.18), DNS
|
|
||||||
- canonicalization will only be performed the server hostname is not
|
|
||||||
- found with the original name when requesting credentials.
|
|
||||||
+ fully-qualified hostnames. If this option is set to ``fallback`` (new
|
|
||||||
+ in release 1.18), DNS canonicalization will only be performed the
|
|
||||||
+ server hostname is not found with the original name when
|
|
||||||
+ requesting credentials. The default value is ``fallback``.
|
|
||||||
|
|
||||||
**dns_lookup_kdc**
|
|
||||||
Indicate whether DNS SRV records should be used to locate the KDCs
|
|
||||||
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
|
|
||||||
index e1d823f27..32a269afc 100644
|
|
||||||
--- a/doc/admin/princ_dns.rst
|
|
||||||
+++ b/doc/admin/princ_dns.rst
|
|
||||||
@@ -31,27 +31,35 @@ based on rotating ``CNAME`` records in DNS.
|
|
||||||
Service principal canonicalization
|
|
||||||
----------------------------------
|
|
||||||
|
|
||||||
-MIT Kerberos clients currently always do forward resolution (looking
|
|
||||||
-up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of
|
|
||||||
-the hostname part of a host-based service principal to canonicalize
|
|
||||||
-the hostname. They obtain the "canonical" name of the host when doing
|
|
||||||
-so. By default, MIT Kerberos clients will also then do reverse DNS
|
|
||||||
-resolution (looking up the hostname associated with the IPv4 or IPv6
|
|
||||||
-address using ``getnameinfo()``) of the hostname. Using the
|
|
||||||
-:ref:`krb5.conf(5)` setting::
|
|
||||||
+In the MIT krb5 client library, canonicalization of host-based service
|
|
||||||
+principals is controlled by the **dns_canonicalize_hostname**,
|
|
||||||
+**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`.
|
|
||||||
|
|
||||||
- [libdefaults]
|
|
||||||
- rdns = false
|
|
||||||
+If **dns_canonicalize_hostname** is set to ``true`` (the default value
|
|
||||||
+before release 1.19), the client performs forward resolution by
|
|
||||||
+looking up the IPv4 and/or IPv6 addresses of the hostname using
|
|
||||||
+``getaddrinfo()``. This process will typically add a domain suffix to
|
|
||||||
+the hostname if needed, and follow CNAME records in the DNS. If
|
|
||||||
+**rdns** is also set to ``true`` (the default), the client will then
|
|
||||||
+perform a reverse lookup of the first returned Internet address using
|
|
||||||
+``getnameinfo()``, finding the name associated with the PTR record.
|
|
||||||
|
|
||||||
-will disable reverse DNS lookup on clients. The default setting is
|
|
||||||
-"true".
|
|
||||||
+If **dns_canonicalize_hostname** is set to ``false``, the hostname is
|
|
||||||
+not canonicalized using DNS. If the hostname has only one component
|
|
||||||
+(i.e. it contains no "." characters), the host's primary DNS search
|
|
||||||
+domain will be appended, if there is one. The **qualify_shortname**
|
|
||||||
+variable can be used to override or disable this suffix.
|
|
||||||
+
|
|
||||||
+If **dns_canonicalize_hostname** is set to ``fallback`` (the default
|
|
||||||
+value in release 1.19 and later), the hostname is initially treated
|
|
||||||
+according to the rules for ``dns_canonicalize_hostname=false``. If a
|
|
||||||
+ticket request fails because the service principal is unknown, it the
|
|
||||||
+hostname will be canonicalized according to the rules for
|
|
||||||
+``dns_canonicalize_hostname=true`` and the request will be retried.
|
|
||||||
+
|
|
||||||
+In all cases, the hostname is converted to lowercase, and any trailing
|
|
||||||
+dot is removed.
|
|
||||||
|
|
||||||
-Operating system bugs may prevent a setting of ``rdns = false`` from
|
|
||||||
-disabling reverse DNS lookup. Some versions of GNU libc have a bug in
|
|
||||||
-``getaddrinfo()`` that cause them to look up ``PTR`` records even when
|
|
||||||
-not required. MIT Kerberos releases krb5-1.10.2 and newer have a
|
|
||||||
-workaround for this problem, as does the krb5-1.9.x series as of
|
|
||||||
-release krb5-1.9.4.
|
|
||||||
|
|
||||||
|
|
||||||
Reverse DNS mismatches
|
|
||||||
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
|
|
||||||
index e710852d4..c0af716a5 100644
|
|
||||||
--- a/src/kadmin/testing/proto/krb5.conf.proto
|
|
||||||
+++ b/src/kadmin/testing/proto/krb5.conf.proto
|
|
||||||
@@ -2,19 +2,19 @@
|
|
||||||
default_realm = __REALM__
|
|
||||||
default_keytab_name = FILE:__K5ROOT__/keytab
|
|
||||||
dns_fallback = no
|
|
||||||
+ qualify_shortname = ""
|
|
||||||
plugin_base_dir = __PLUGIN_DIR__
|
|
||||||
allow_weak_crypto = true
|
|
||||||
|
|
||||||
[realms]
|
|
||||||
__REALM__ = {
|
|
||||||
- kdc = __KDCHOST__:1750
|
|
||||||
- admin_server = __KDCHOST__:1751
|
|
||||||
+ kdc = __HOSTNAME__:1750
|
|
||||||
+ admin_server = __HOSTNAME__:1751
|
|
||||||
database_module = foobar_db2_module_blah
|
|
||||||
}
|
|
||||||
|
|
||||||
[domain_realm]
|
|
||||||
- __LOCALHOST__ = __REALM__
|
|
||||||
- __KDCHOST__ = __REALM__
|
|
||||||
+ __HOSTNAME__ = __REALM__
|
|
||||||
|
|
||||||
[logging]
|
|
||||||
admin_server = FILE:__K5ROOT__/syslog
|
|
||||||
diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin
|
|
||||||
index 969c5340c..88f8ad1aa 100755
|
|
||||||
--- a/src/kadmin/testing/scripts/env-setup.shin
|
|
||||||
+++ b/src/kadmin/testing/scripts/env-setup.shin
|
|
||||||
@@ -71,8 +71,8 @@ BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP
|
|
||||||
CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL
|
|
||||||
SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL
|
|
||||||
|
|
||||||
-QUALNAME=`$BUILDTOP/tests/resolve/resolve -q | tr '[A-Z]' '[a-z]'`
|
|
||||||
-export QUALNAME
|
|
||||||
+HOSTNAME=`hostname | tr '[A-Z]' '[a-z]'`
|
|
||||||
+export HOSTNAME
|
|
||||||
|
|
||||||
KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG
|
|
||||||
KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE
|
|
||||||
diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
|
|
||||||
index e65826c96..216f62793 100755
|
|
||||||
--- a/src/kadmin/testing/scripts/init_db
|
|
||||||
+++ b/src/kadmin/testing/scripts/init_db
|
|
||||||
@@ -79,8 +79,7 @@ fi
|
|
||||||
# done
|
|
||||||
|
|
||||||
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
|
|
||||||
- -e "s/__KDCHOST__/$QUALNAME/g" \
|
|
||||||
- -e "s/__LOCALHOST__/$QUALNAME/g" \
|
|
||||||
+ -e "s/__HOSTNAME__/$HOSTNAME/g" \
|
|
||||||
-e "s#__MODDIR__#$MODDIR#g" \
|
|
||||||
< $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf
|
|
||||||
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
|
|
||||||
diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers
|
|
||||||
index f23df0682..05519e4ee 100755
|
|
||||||
--- a/src/kadmin/testing/scripts/start_servers
|
|
||||||
+++ b/src/kadmin/testing/scripts/start_servers
|
|
||||||
@@ -36,8 +36,7 @@ if [ $local = 0 ]; then
|
|
||||||
|
|
||||||
# Fix up the local krb5.conf to point to the remote
|
|
||||||
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
|
|
||||||
- -e "s/__KDCHOST__/$hostname/g" \
|
|
||||||
- -e "s/__LOCALHOST__/$QUALNAME/g" \
|
|
||||||
+ -e "s/__HOSTNAME__/$HOSTNAME/g" \
|
|
||||||
-e "s#__MODDIR__#$TOP/../plugins/kdb#g"\
|
|
||||||
-e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\
|
|
||||||
< $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf
|
|
||||||
diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
|
|
||||||
index 998ef9164..858e88031 100755
|
|
||||||
--- a/src/kadmin/testing/scripts/start_servers_local
|
|
||||||
+++ b/src/kadmin/testing/scripts/start_servers_local
|
|
||||||
@@ -79,7 +79,7 @@ cat - > /tmp/start_servers_local$$ <<\EOF
|
|
||||||
if { [catch {
|
|
||||||
source $env(STOP)/testing/tcl/util.t
|
|
||||||
set r $env(REALM)
|
|
||||||
- set q $env(QUALNAME)
|
|
||||||
+ set q $env(HOSTNAME)
|
|
||||||
puts stdout [kadm5_init $env(SRVTCL) mrroot null \
|
|
||||||
[config_params {KADM5_CONFIG_REALM} $r] \
|
|
||||||
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle]
|
|
||||||
diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp
|
|
||||||
index 7a353d4e9..47764c212 100644
|
|
||||||
--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp
|
|
||||||
+++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp
|
|
||||||
@@ -3,18 +3,14 @@ load_lib lib.t
|
|
||||||
api_exit
|
|
||||||
api_start
|
|
||||||
|
|
||||||
-if ![info exists RESOLVE] {
|
|
||||||
- set RESOLVE [findfile $objdir/../../../tests/resolve/resolve]
|
|
||||||
-}
|
|
||||||
proc get_hostname { } {
|
|
||||||
- global RESOLVE
|
|
||||||
global hostname
|
|
||||||
|
|
||||||
if {[info exists hostname]} {
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
- catch "exec $RESOLVE -q >myname" exec_output
|
|
||||||
+ catch "exec hostname >myname" exec_output
|
|
||||||
if ![string match "" $exec_output] {
|
|
||||||
send_log "$exec_output\n"
|
|
||||||
verbose $exec_output
|
|
||||||
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
|
|
||||||
index 9a4741fa6..0b8ae6714 100644
|
|
||||||
--- a/src/lib/krb5/krb/init_ctx.c
|
|
||||||
+++ b/src/lib/krb5/krb/init_ctx.c
|
|
||||||
@@ -237,7 +237,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
|
|
||||||
ctx->enforce_ok_as_delegate = tmp;
|
|
||||||
|
|
||||||
retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback",
|
|
||||||
- CANONHOST_FALLBACK, 1, &tmp);
|
|
||||||
+ CANONHOST_FALLBACK, CANONHOST_FALLBACK, &tmp);
|
|
||||||
if (retval)
|
|
||||||
goto cleanup;
|
|
||||||
ctx->dns_canonicalize_hostname = tmp;
|
|
||||||
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
|
|
||||||
index 4d8c917cd..1e7777f1e 100644
|
|
||||||
--- a/src/tests/dejagnu/config/default.exp
|
|
||||||
+++ b/src/tests/dejagnu/config/default.exp
|
|
||||||
@@ -268,7 +268,6 @@ foreach i {
|
|
||||||
{KTUTIL $objdir/../../kadmin/ktutil/ktutil}
|
|
||||||
{KLIST $objdir/../../clients/klist/klist}
|
|
||||||
{KDESTROY $objdir/../../clients/kdestroy/kdestroy}
|
|
||||||
- {RESOLVE $objdir/../resolve/resolve}
|
|
||||||
{T_INETD $objdir/t_inetd}
|
|
||||||
{KPROPLOG $objdir/../../kprop/kproplog}
|
|
||||||
{KPASSWD $objdir/../../clients/kpasswd/kpasswd}
|
|
||||||
@@ -462,7 +461,6 @@ proc setup_runtime_env { } {
|
|
||||||
# 0 on failure.
|
|
||||||
|
|
||||||
proc get_hostname { } {
|
|
||||||
- global RESOLVE
|
|
||||||
global hostname
|
|
||||||
global tmppwd
|
|
||||||
|
|
||||||
@@ -472,7 +470,7 @@ proc get_hostname { } {
|
|
||||||
|
|
||||||
envstack_push
|
|
||||||
setup_runtime_env
|
|
||||||
- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output
|
|
||||||
+ catch "exec hostname >$tmppwd/hostname" exec_output
|
|
||||||
envstack_pop
|
|
||||||
if ![string match "" $exec_output] {
|
|
||||||
verbose -log $exec_output
|
|
||||||
@@ -710,6 +708,7 @@ proc setup_krb5_conf { {type client} } {
|
|
||||||
puts $conffile "\[libdefaults\]"
|
|
||||||
puts $conffile " default_realm = $REALMNAME"
|
|
||||||
puts $conffile " dns_lookup_kdc = false"
|
|
||||||
+ puts $conffile " qualify_shortname = \"\""
|
|
||||||
if [info exists allow_weak_crypto($type)] {
|
|
||||||
puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)"
|
|
||||||
} else {
|
|
||||||
diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
|
|
||||||
index 26dcb91c2..f3e187286 100755
|
|
||||||
--- a/src/tests/t_sn2princ.py
|
|
||||||
+++ b/src/tests/t_sn2princ.py
|
|
||||||
@@ -2,7 +2,8 @@ from k5test import *
|
|
||||||
|
|
||||||
offline = (len(args) > 0 and args[0] != "no")
|
|
||||||
|
|
||||||
-conf = {'domain_realm': {'kerberos.org': 'R1',
|
|
||||||
+conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'},
|
|
||||||
+ 'domain_realm': {'kerberos.org': 'R1',
|
|
||||||
'example.com': 'R2',
|
|
||||||
'mit.edu': 'R3'}}
|
|
||||||
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
|
|
||||||
@@ -28,7 +29,7 @@ def testbase(host, nametype, princhost, princrealm, env=None):
|
|
||||||
fail('Expected %s, got %s' % (expected, out))
|
|
||||||
|
|
||||||
def test(host, princhost, princrealm):
|
|
||||||
- # Test with the host-based name type in the default environment.
|
|
||||||
+ # Test with the host-based name type with canonicalization enabled.
|
|
||||||
testbase(host, 'srv-hst', princhost, princrealm)
|
|
||||||
|
|
||||||
def testnc(host, princhost, princrealm):
|
|
||||||
diff --git a/src/util/k5test.py b/src/util/k5test.py
|
|
||||||
index eea92275d..5196cfa43 100644
|
|
||||||
--- a/src/util/k5test.py
|
|
||||||
+++ b/src/util/k5test.py
|
|
||||||
@@ -193,7 +193,10 @@ Scripts may use the following functions and variables:
|
|
||||||
|
|
||||||
* plugins: The plugin directory in the build tree (absolute path).
|
|
||||||
|
|
||||||
-* hostname: This machine's fully-qualified domain name.
|
|
||||||
+* hostname: The local hostname as it will initially appear in
|
|
||||||
+ krb5_sname_to_principal() results. (Shortname qualification is
|
|
||||||
+ turned off in the test environment to make this value easy to
|
|
||||||
+ discover from Python.)
|
|
||||||
|
|
||||||
* null_input: A file opened to read /dev/null.
|
|
||||||
|
|
||||||
@@ -525,23 +528,6 @@ def _find_srctop():
|
|
||||||
return os.path.abspath(root)
|
|
||||||
|
|
||||||
|
|
||||||
-# Return the local hostname as it will be canonicalized by
|
|
||||||
-# krb5_sname_to_principal. We can't simply use socket.getfqdn()
|
|
||||||
-# because it explicitly prefers results containing periods and
|
|
||||||
-# krb5_sname_to_principal doesn't care.
|
|
||||||
-def _get_hostname():
|
|
||||||
- hostname = socket.gethostname()
|
|
||||||
- try:
|
|
||||||
- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME)
|
|
||||||
- except socket.gaierror as e:
|
|
||||||
- fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1]))
|
|
||||||
- (family, socktype, proto, canonname, sockaddr) = ai[0]
|
|
||||||
- try:
|
|
||||||
- name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
|
|
||||||
- except socket.gaierror:
|
|
||||||
- return canonname.lower()
|
|
||||||
- return name[0].lower()
|
|
||||||
-
|
|
||||||
# Parse command line arguments, setting global option variables. Also
|
|
||||||
# sets the global variable args to the positional arguments, which may
|
|
||||||
# be used by the test script.
|
|
||||||
@@ -1263,6 +1249,7 @@ _default_krb5_conf = {
|
|
||||||
'libdefaults': {
|
|
||||||
'default_realm': '$realm',
|
|
||||||
'dns_lookup_kdc': 'false',
|
|
||||||
+ 'qualify_shortname': '',
|
|
||||||
'plugin_base_dir': '$plugins'},
|
|
||||||
'realms': {'$realm': {
|
|
||||||
'kdc': '$hostname:$port0',
|
|
||||||
@@ -1356,7 +1343,7 @@ buildtop = _find_buildtop()
|
|
||||||
srctop = _find_srctop()
|
|
||||||
plugins = os.path.join(buildtop, 'plugins')
|
|
||||||
runenv = _import_runenv()
|
|
||||||
-hostname = _get_hostname()
|
|
||||||
+hostname = socket.gethostname().lower()
|
|
||||||
null_input = open(os.devnull, 'r')
|
|
||||||
|
|
||||||
# A DB pass is a tuple of: name, kdc_conf.
|
|
@ -1,4 +1,4 @@
|
|||||||
From 3f873868fb08b77da2d30e164a0ef6c71c17c607 Mon Sep 17 00:00:00 2001
|
From 63b526ffbdd932dffd5bc1d4a2b3ef6300208fb8 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Wed, 15 Jul 2020 15:42:20 -0400
|
Date: Wed, 15 Jul 2020 15:42:20 -0400
|
||||||
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
|
Subject: [PATCH] Ignore bad enctypes in krb5_string_to_keysalts()
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 3ea1d6296ced3a998e79356f9be212e4c5e6a5d5 Mon Sep 17 00:00:00 2001
|
From bfc91774e1bf67b544d38abe10b41cdb76e30d8c Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
Date: Wed, 5 Jul 2017 11:38:30 -0400
|
Date: Wed, 5 Jul 2017 11:38:30 -0400
|
||||||
Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG
|
Subject: [PATCH] Implement GSS_C_CHANNEL_BOUND_FLAG
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 6407bf087fe53088d91efd09df736e979cd4e8db Mon Sep 17 00:00:00 2001
|
From 49e5ab0f11287dd2fd87de02abf14e63e5040c5b Mon Sep 17 00:00:00 2001
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
Date: Mon, 9 Mar 2020 16:04:21 +0100
|
Date: Mon, 9 Mar 2020 16:04:21 +0100
|
||||||
Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side)
|
Subject: [PATCH] Implement KERB_AP_OPTIONS_CBT (server side)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c726a72c68244129eb08b840b92144acfa776573 Mon Sep 17 00:00:00 2001
|
From 409a8920e13cd14fec8533c1ff864de92d292178 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Tue, 9 Jun 2020 16:23:37 -0400
|
Date: Tue, 9 Jun 2020 16:23:37 -0400
|
||||||
Subject: [PATCH] Improve negoex_parse_token() code hygiene
|
Subject: [PATCH] Improve negoex_parse_token() code hygiene
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c36e826c70cb5b3bff8bd4371d47884cea30b3f4 Mon Sep 17 00:00:00 2001
|
From 911f19b661cb13373ad3de4fb92015beb3647de7 Mon Sep 17 00:00:00 2001
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
Date: Sat, 6 Jun 2020 11:03:37 +0200
|
Date: Sat, 6 Jun 2020 11:03:37 +0200
|
||||||
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
|
Subject: [PATCH] Omit PA_FOR_USER if we can't compute its checksum
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From ee79bd43005245d3e5a2d3ec6d61146945e77717 Mon Sep 17 00:00:00 2001
|
From 20ec2ee13c34bfae03d62662b25f2f7708d1a418 Mon Sep 17 00:00:00 2001
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
Date: Tue, 28 Apr 2020 18:15:55 +0200
|
Date: Tue, 28 Apr 2020 18:15:55 +0200
|
||||||
Subject: [PATCH] Pass channel bindings through SPNEGO
|
Subject: [PATCH] Pass channel bindings through SPNEGO
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From a34b7c50e62c19f80d39ece6a72017dac781df64 Mon Sep 17 00:00:00 2001
|
From 5037c0fe698ad00a8e8f53fdcfc3d3b1c3537aba Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
Date: Fri, 30 Jun 2017 16:03:01 -0400
|
Date: Fri, 30 Jun 2017 16:03:01 -0400
|
||||||
Subject: [PATCH] Refactor krb5 GSS checksum handling
|
Subject: [PATCH] Refactor krb5 GSS checksum handling
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 85bb5fe5a11708b78e9f0bd3a3b34999b6c888a7 Mon Sep 17 00:00:00 2001
|
From 3eb685873f5390a3af518ac86e99f6863750ada3 Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Thu, 28 May 2020 18:41:02 -0400
|
Date: Thu, 28 May 2020 18:41:02 -0400
|
||||||
Subject: [PATCH] Remove resolver test utility
|
Subject: [PATCH] Remove resolver test utility
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 8e08f01d73ddca1b828788710ec6bb3e0354727a Mon Sep 17 00:00:00 2001
|
From ccc6e0fae1fc000e10e51ffa45cc59674038714a Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Wed, 4 Mar 2020 17:18:51 -0500
|
Date: Wed, 4 Mar 2020 17:18:51 -0500
|
||||||
Subject: [PATCH] Use two queues for concurrent t_otp.py daemons
|
Subject: [PATCH] Use two queues for concurrent t_otp.py daemons
|
||||||
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
|||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.18.2
|
Version: 1.18.2
|
||||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
|
|
||||||
# rharwood has trust path to signing key and verifies on check-in
|
# rharwood has trust path to signing key and verifies on check-in
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
||||||
@ -57,7 +57,6 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch
|
|||||||
Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch
|
Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch
|
||||||
Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch
|
Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch
|
||||||
Patch21: Replace-gssrpc-tests-with-a-Python-script.patch
|
Patch21: Replace-gssrpc-tests-with-a-Python-script.patch
|
||||||
Patch22: Default-dns_canonicalize_hostname-to-fallback.patch
|
|
||||||
Patch23: Remove-resolver-test-utility.patch
|
Patch23: Remove-resolver-test-utility.patch
|
||||||
Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
|
Patch24: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
|
||||||
Patch25: Improve-negoex_parse_token-code-hygiene.patch
|
Patch25: Improve-negoex_parse_token-code-hygiene.patch
|
||||||
@ -624,6 +623,9 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-14
|
||||||
|
- Revert qualify_shortname changes
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-13
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-13
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user