Bug 60090 - krb5 doesn't perform SRV server lookups
krb5 doesn't perform SRV server lookups
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2002-02-19 16:41 EST by Need Real Name
Modified: 2007-04-18 12:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.3.1-7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-01-08 18:11:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-02-19 16:41:55 EST
Description of problem:
When I tried doing a kinit on a principal in a realm (which has the proper SRV 
records set up) that was not configured in my /etc/krb5.conf (dns_lookup_realm 
= false, dns_lookup_kdc = true), it failed to find the KDC.

Version-Release number of selected component (if applicable): 1.2.2-12

How reproducible:

Steps to Reproduce:
1. kinit foo@NOT.IN.KRB5.CONF

Actual Results:
$ kinit foo@NOT.IN.KRB5.CONF
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

Expected Results:
$ kinit foo@NOT.IN.KRB5.CONF
Password for foo@NOT.IN.KRB5.CONF:

Additional info:

The cuplrit is a strange interaction when specifying the --netlib=-lresolv to 
the configure process. It seems to leave undefined KRB5_DNS_LOOKUP, 
KRB5_DNS_LOOKUP_KDC, and KRB5_DNS_LOOKUP_REALM. In fact, the libkrb5.so.3.0 
doesn't have any symbols for doing the DNS lookups (_krb5_use_dns_kdc, 
_krb5_use_dns_real, krb5_locate_srv_dns).

The following patch seems to work for me:
--- krb5.spec.orig	Tue Feb 19 13:19:06 2002
+++ krb5.spec	Tue Feb 19 13:19:17 2002
@@ -468,7 +468,6 @@
 	--localstatedir=%{_var}/kerberos \
 	--with-krb4 \
 	--enable-dns --enable-dns-for-kdc --enable-dns-for-realm \
-	--with-netlib=-lresolv \
 	--with-tcl=%{_prefix} \
 make LDCOMBINE='%{__cc} -shared -Wl,-soname=lib$(LIB)$(SHLIBSEXT) $(CFLAGS)'

The --netlib isn't strictly needed as it will automatically look for the 
resolver functions in -lresolv if they are not found in libc.
Comment 1 Jack Neely 2004-01-08 17:45:41 EST

Just got SRV records at NCSU and this bug is still present in Fedora
Core 1.  I have verified that the fix above does infact work and is
the proper bug.  Would like to go this way rather than be forced to
"randomize" my krb5.conf.  *sigh*
Comment 2 Nalin Dahyabhai 2004-01-08 18:11:17 EST
Jack, a fix for configure which gets --netlib and --enable-dns to play
together nicely should be in the current fc2 package (see mail to
krb5-bugs in November, the specific change is krb5-1.3.1-dns.patch).

The current plan is to add it to any future errata or updates for krb5
for older releases.  I guess I should mark this as resolved in
rawhide, then.

Note You need to log in before you can comment on or make changes to this bug.