From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 30 Jul 2020 16:14:27 +0000 (-0400)
Subject: Don't create hostbased principals in new KDBs
X-Git-Tag: krb5-1.19-beta1~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1099%2Fhead;p=thirdparty%2Fkrb5.git

Don't create hostbased principals in new KDBs

Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts.  Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS.  Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.

kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.

ticket: 8935 (new)
---

diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
index 4f254a387c..42b45aa2da 100644
--- a/src/kadmin/dbutil/kadm5_create.c
+++ b/src/kadmin/dbutil/kadm5_create.c
@@ -139,60 +139,18 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
 static int add_admin_princs(void *handle, krb5_context context, char *realm)
 {
     krb5_error_code ret = 0;
-    char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
-    char localname[MAXHOSTNAMELEN];
-
-    if (gethostname(localname, MAXHOSTNAMELEN)) {
-        ret = errno;
-        perror("gethostname");
-        goto clean_and_exit;
-    }
-    ret = krb5_expand_hostname(context, localname, &canonhost);
-    if (ret) {
-        com_err(progname, ret, _("while canonicalizing local hostname"));
-        goto clean_and_exit;
-    }
-    if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
-        ret = ENOMEM;
-        fprintf(stderr, _("Out of memory\n"));
-        goto clean_and_exit;
-    }
-    if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
-        ret = ENOMEM;
-        fprintf(stderr, _("Out of memory\n"));
-        goto clean_and_exit;
-    }
-
-    if ((ret = add_admin_princ(handle, context,
-                               service_name, realm,
-                               KRB5_KDB_DISALLOW_TGT_BASED |
-                               KRB5_KDB_LOCKDOWN_KEYS,
-                               ADMIN_LIFETIME)))
-        goto clean_and_exit;
 
     if ((ret = add_admin_princ(handle, context,
                                KADM5_ADMIN_SERVICE, realm,
                                KRB5_KDB_DISALLOW_TGT_BASED |
                                KRB5_KDB_LOCKDOWN_KEYS,
                                ADMIN_LIFETIME)))
-        goto clean_and_exit;
-
-    if ((ret = add_admin_princ(handle, context,
-                               KADM5_CHANGEPW_SERVICE, realm,
-                               KRB5_KDB_DISALLOW_TGT_BASED |
-                               KRB5_KDB_PWCHANGE_SERVICE |
-                               KRB5_KDB_LOCKDOWN_KEYS,
-                               CHANGEPW_LIFETIME)))
-        goto clean_and_exit;
-
-    ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
-
-clean_and_exit:
-    krb5_free_string(context, canonhost);
-    free(service_name);
-    free(kiprop_name);
+        return ret;
 
-    return ret;
+    return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
+                           KRB5_KDB_DISALLOW_TGT_BASED |
+                           KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
+                           CHANGEPW_LIFETIME);
 }
 
 /*
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index c21d199819..ae1afd4a9c 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -307,29 +307,6 @@ create_fixed_special(krb5_context context, struct realm_info *rinfo,
 
 }
 
-/* Create a special principal using one specified component and the
- * canonicalized local hostname. */
-static krb5_error_code
-create_hostbased_special(krb5_context context, struct realm_info *rinfo,
-                         krb5_keyblock *mkey, const char *comp1)
-{
-    krb5_error_code ret;
-    krb5_principal princ = NULL;
-
-    ret = krb5_sname_to_principal(context, NULL, comp1, KRB5_NT_SRV_HST,
-                                  &princ);
-    if (ret)
-        goto cleanup;
-    ret = krb5_set_principal_realm(context, princ, global_params.realm);
-    if (ret)
-        goto cleanup;
-    ret = kdb_ldap_create_principal(context, princ, TGT_KEY, rinfo, mkey);
-
-cleanup:
-    krb5_free_principal(context, princ);
-    return ret;
-}
-
 /* Create all special principals for the realm. */
 static krb5_error_code
 create_special_princs(krb5_context context, krb5_principal master_princ,
@@ -360,20 +337,10 @@ create_special_princs(krb5_context context, krb5_principal master_princ,
     if (ret)
         return ret;
 
-    /* Create kadmin/admin and kadmin/<hostname>. */
+    /* Create kadmin/admin. */
     rblock.max_life = ADMIN_LIFETIME;
     rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
     ret = create_fixed_special(context, &rblock, mkey, "kadmin", "admin");
-    if (ret)
-        return ret;
-    ret = create_hostbased_special(context, &rblock, mkey, "kadmin");
-    if (ret)
-        return ret;
-
-    /* Create kiprop/<hostname>. */
-    rblock.max_life = global_params.max_life;
-    rblock.flags = 0;
-    ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
     if (ret)
         return ret;
 
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 36a345258b..fa50a61fb8 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -1098,10 +1098,11 @@ proc kadmin_test { } {
 	return
     }
 
-    # test fallback to kadmin/admin
-    if {![kadmin_delete_locked_down kadmin/$hostname] \
+    # test fallback to kadmin/hostname
+    if {![kadmin_add_rnd kadmin/$hostname] \
+	    || ![kadmin_delete_locked_down kadmin/admin] \
 	    || ![kadmin_list] \
-	    || ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \
+	    || ![kadmin_add_rnd kadmin/admin -allow_tgs_req] \
 	    || ![kadmin_list]} {
 	return
     }
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index 371f3a22b6..3bb0fd2e95 100755
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -188,6 +188,7 @@ for realm in multidb_realms(kdc_conf=conf, create_user=False,
 
     # Create the principal used to authenticate kpropd to kadmind.
     kiprop_princ = 'kiprop/' + hostname
+    realm.addprinc(kiprop_princ)
     realm.extract_keytab(kiprop_princ, realm.keytab)
 
     # Create the initial replica databases.
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 16faf0a9d1..31a7fb871e 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -331,6 +331,7 @@ realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
 # Test authentication to kadmin/hostname.
 mark('authentication to kadmin/hostname')
 kadmin_hostname = 'kadmin/' + hostname
+realm.addprinc(kadmin_hostname)
 realm.run([kadminl, 'delprinc', 'kadmin/admin'])
 msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
         'Setting initial creds service to kadmin/admin',