Hide Forgot
Created attachment 1153561 [details] Patch to enable use of dns_canonicalize_hostname flag in krb5.conf, disables if set to 0 Description of problem: Hostnames pointing to CNAMEs for server principals validates against the target of the CNAME instead of the given server principal/hostname. Version-Release number of selected component (if applicable): 1.10.3-42z1 How reproducible: Always. Use a binary or script that can complete Kerberos authentication against a URL -- for example, curl -- using krb5-libs. Reproduction using the below method requires a working Kerberos system with a REST URL endpoint that supports authenticating with a Kerberos ticket. Where x.a_real_url.com is a CNAME that points to y.a_real_url.com: Steps to Reproduce: 1. curl -u : --negotiate -vi -H 'Content-Type:application/json' -X POST -d '{"json": [{"pay": "load"}], "message": ""}' https://x.a_real_url.com 2. Part of the return will contain: Server HTTP/y.a_real_url.com@REALM not found in Kerberos database Actual results: Server HTTP/y.a_real_url.com@REALM not found in Kerberos database Expected results: Server principal checked is x.a_real_url.com. This bug has been cross-reported to the CentOS 6 bug tracker as well as krb5 github: - https://bugs.centos.org/view.php?id=10775 - https://github.com/krb5/krb5/pull/443#event-649100795 A colleague recommended I report it here, too. Expected results: Additional info:
This is a backported feature present on EL7 and in newer versions of krb5.
Hi, thank you for the detailed bug report and patch. I will try to include a fix in the next release.
Thank you! Do you have an ETA for the next CentOS 6.x release?
(In reply to Mark Shields from comment #3) > Thank you! Do you have an ETA for the next CentOS 6.x release? CentOS as I understand it will release at about the same time RHEL releases; I don't believe it's publicly decided when that will be, but you can get a good idea of the timeframe we're talking about from wikipedia: https://en.wikipedia.org/wiki/Red_hat_enterprise_linux#Version_history We are too late to make 6.8, but I'm targeting 6.9. Unfortunately, I'm not strongly involved in the CentOS process itself. If this were a Fedora bug I could fix it instanter, but RHEL is slower-moving than that.
I understand. Do you have an ETA for RHEL 6.9 release?
I do not believe one is public yet, but it will probably follow the chart above.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0643.html