Description of problem: When I tried doing a kinit on a principal in a realm (which has the proper SRV records set up) that was not configured in my /etc/krb5.conf (dns_lookup_realm = false, dns_lookup_kdc = true), it failed to find the KDC. Version-Release number of selected component (if applicable): 1.2.2-12 How reproducible: Always Steps to Reproduce: 1. kinit foo.KRB5.CONF Actual Results: $ kinit foo.KRB5.CONF kinit(v5): Cannot find KDC for requested realm while getting initial credentials $ Expected Results: $ kinit foo.KRB5.CONF Password for foo.KRB5.CONF: $ Additional info: The cuplrit is a strange interaction when specifying the --netlib=-lresolv to the configure process. It seems to leave undefined KRB5_DNS_LOOKUP, KRB5_DNS_LOOKUP_KDC, and KRB5_DNS_LOOKUP_REALM. In fact, the libkrb5.so.3.0 doesn't have any symbols for doing the DNS lookups (_krb5_use_dns_kdc, _krb5_use_dns_real, krb5_locate_srv_dns). The following patch seems to work for me: --- krb5.spec.orig Tue Feb 19 13:19:06 2002 +++ krb5.spec Tue Feb 19 13:19:17 2002 @@ -468,7 +468,6 @@ --localstatedir=%{_var}/kerberos \ --with-krb4 \ --enable-dns --enable-dns-for-kdc --enable-dns-for-realm \ - --with-netlib=-lresolv \ --with-tcl=%{_prefix} \ %{_target_platform} make LDCOMBINE='%{__cc} -shared -Wl,-soname=lib$(LIB)$(SHLIBSEXT) $(CFLAGS)' The --netlib isn't strictly needed as it will automatically look for the resolver functions in -lresolv if they are not found in libc.
Nalin, Just got SRV records at NCSU and this bug is still present in Fedora Core 1. I have verified that the fix above does infact work and is the proper bug. Would like to go this way rather than be forced to "randomize" my krb5.conf. *sigh*
Jack, a fix for configure which gets --netlib and --enable-dns to play together nicely should be in the current fc2 package (see mail to krb5-bugs in November, the specific change is krb5-1.3.1-dns.patch). The current plan is to add it to any future errata or updates for krb5 for older releases. I guess I should mark this as resolved in rawhide, then.