Greetings, The name canonicalization support for Kerberos is doing us more harm than good in the regression tests, so I propose we disable it. Patch attached.
Thoughts? Thanks, Stephen
From 992d946d17c79d240ac6587998e2f94b12a726de Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfr...@snowman.net>
Date: Mon, 20 Feb 2023 17:53:48 -0500
Subject: [PATCH] For Kerberos testing, disable reverse DNS lookup
In our Kerberos test suite, there isn't much need to worry about the
normal canonicalization that Kerberos provides by looking up the reverse
DNS for the IP address connected to, and in some cases it can actively
cause problems (eg: capture portal wifi where the normally not
resolvable localhost address used ends up being resolved anyway, and
never to the domain we are using for testing, causing the entire
regression test to fail with errors about not being able to get a TGT
for the remote realm for cross-realm trust).
Therefore, disable it by adding rdns = false into the krb5.conf that's
generated for the test.
---
src/test/kerberos/t/001_auth.pl | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index d610ce63ab..b04c9dff56 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -108,6 +108,7 @@ kdc = FILE:$kdc_log
[libdefaults]
default_realm = $realm
+rdns = false
[realms]
$realm = {
--
2.34.1
signature.asc
Description: PGP signature
