Greetings, * Heikki Linnakangas (hlinn...@iki.fi) wrote: > On 21/02/2023 01:35, Stephen Frost wrote: > > The name canonicalization support for Kerberos is doing us more harm > > than good in the regression tests, so I propose we disable it. Patch > > attached. > > > > Thoughts? > > Makes sense. A brief comment in 001_auth.pl itself to mention why we disable > rdns would be nice.
Thanks for reviewing! Comments added and updated the commit message. Unless there's anything else, I'll push this early next week. Thanks again! Stephen
From e0df250f30cdde1ee6d57ff24efbca3ecd923801 Mon Sep 17 00:00:00 2001 From: Stephen Frost <sfr...@snowman.net> Date: Mon, 20 Feb 2023 17:53:48 -0500 Subject: [PATCH] For Kerberos testing, disable reverse DNS lookup In our Kerberos test suite, there isn't much need to worry about the normal canonicalization that Kerberos provides by looking up the reverse DNS for the IP address connected to, and in some cases it can actively cause problems (eg: capture portal wifi where the normally not resolvable localhost address used ends up being resolved anyway, and never to the domain we are using for testing, causing the entire regression test to fail with errors about not being able to get a TGT for the remote realm for cross-realm trust). Therefore, disable it by adding rdns = false into the krb5.conf that's generated for the test. Reviewed-By: Heikki Linnakangas Discussion: https://postgr.es/m/Y/qd2zdkdyqa1...@tamriel.snowman.net --- src/test/kerberos/t/001_auth.pl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl index d610ce63ab..16b3e8ed23 100644 --- a/src/test/kerberos/t/001_auth.pl +++ b/src/test/kerberos/t/001_auth.pl @@ -100,6 +100,17 @@ $stdout =~ m/Kerberos 5 release ([0-9]+\.[0-9]+)/ or BAIL_OUT("could not get Kerberos version"); $krb5_version = $1; +# Build the krb5.conf to use. +# +# Explicitly specify the default (test) realm and the KDC for +# that realm to avoid the Kerberos library trying to look up +# that information in DNS, and also because we're using a +# non-standard KDC port. +# +# Reverse DNS is explicitly disabled to avoid any issue with +# capture portals or other cases where the reverse DNS succeeds +# and the Kerberos library uses that as the canonical name of +# the host and tries to do a cross-realm lookup. append_to_file( $krb5_conf, qq![logging] @@ -108,6 +119,7 @@ kdc = FILE:$kdc_log [libdefaults] default_realm = $realm +rdns = false [realms] $realm = { -- 2.34.1
signature.asc
Description: PGP signature
