Bug 1332696

Summary: krb5-libs canonicalizes hostnames for server principals breaking CNAME usage
Product: Red Hat Enterprise Linux 6 Reporter: Mark Shields <laebshade>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: dpal, jplans, nalin, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.10.3-60.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 10:03:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch to enable use of dns_canonicalize_hostname flag in krb5.conf, disables if set to 0 none

Description Mark Shields 2016-05-03 19:46:48 UTC 
Created attachment 1153561 [details]
Patch to enable use of dns_canonicalize_hostname flag in krb5.conf, disables if set to 0

Description of problem:

Hostnames pointing to CNAMEs for server principals validates against the target of the CNAME instead of the given server principal/hostname.

Version-Release number of selected component (if applicable):

1.10.3-42z1

How reproducible:

Always.

Use a binary or script that can complete Kerberos authentication against a URL -- for example, curl -- using krb5-libs.

Reproduction using the below method requires a working Kerberos system with a REST URL endpoint that supports authenticating with a Kerberos ticket.

Where x.a_real_url.com is a CNAME that points to y.a_real_url.com:

Steps to Reproduce:
1. curl -u : --negotiate -vi -H 'Content-Type:application/json' -X POST -d '{"json": [{"pay": "load"}], "message": ""}' https://x.a_real_url.com
2. Part of the return will contain: Server HTTP/y.a_real_url.com@REALM not found in Kerberos database

Actual results:

Server HTTP/y.a_real_url.com@REALM not found in Kerberos database

Expected results:

Server principal checked is x.a_real_url.com.

This bug has been cross-reported to the CentOS 6 bug tracker as well as krb5 github:

- https://bugs.centos.org/view.php?id=10775
- https://github.com/krb5/krb5/pull/443#event-649100795

A colleague recommended I report it here, too.
Expected results:


Additional info:
Comment 1 Mark Shields 2016-05-03 19:52:22 UTC 
This is a backported feature present on EL7 and in newer versions of krb5.
Comment 2 Robbie Harwood 2016-05-03 22:20:25 UTC 
Hi, thank you for the detailed bug report and patch.  I will try to include a fix in the next release.
Comment 3 Mark Shields 2016-05-04 02:48:41 UTC 
Thank you!  Do you have an ETA for the next CentOS 6.x release?
Comment 4 Robbie Harwood 2016-05-04 05:48:51 UTC 
(In reply to Mark Shields from comment #3)
> Thank you!  Do you have an ETA for the next CentOS 6.x release?

CentOS as I understand it will release at about the same time RHEL releases; I don't believe it's publicly decided when that will be, but you can get a good idea of the timeframe we're talking about from wikipedia: https://en.wikipedia.org/wiki/Red_hat_enterprise_linux#Version_history We are too late to make 6.8, but I'm targeting 6.9.

Unfortunately, I'm not strongly involved in the CentOS process itself.  If this were a Fedora bug I could fix it instanter, but RHEL is slower-moving than that.
Comment 5 Mark Shields 2016-05-04 16:08:57 UTC 
I understand.  Do you have an ETA for RHEL 6.9 release?
Comment 6 Robbie Harwood 2016-05-10 19:13:44 UTC 
I do not believe one is public yet, but it will probably follow the chart above.
Comment 13 errata-xmlrpc 2017-03-21 10:03:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0643.html