content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Content-Length: 1323

Hello.

We discovered that when using nsupdate with GSSAPI, the realm detection
does not produce meaningful results in cross-realm setup. nsupdate uses
get_ticket_realm() to figure out the realm, but the function fails to
detect the correct realm in cross-realm setups. One has to specify the
realm explicitly, which is not desired.

We have a bug [1] in RH Bugszilla with more information and with some
investigation.

Based on RFC4752 section 3.1 [2], the client side should use
GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name() and use
"service@host" as service name.

This means that the realm detection should be left to the GSSAPI, which
can detect the realm correctly based on the krb5.conf configuration.
This also makes the "realm" option useless.

I'm attaching a proposed patch that changes the way the service name is
constructed and the way gss_import_name() is called, to conform with
RFC4752. The patch also removes the "realm" option, since it would not
be used anywhere.

I tested the fix in cross realm setup and the detection worked correctly.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1214827
[2] https://www.ietf.org/rfc/rfc4752.txt


Thank you!

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                 http://cz.redhat.com