From 39450823e4cebe05f7b92d98fab209c08264cbfd Mon Sep 17 00:00:00 2001 From: Yann Soubeyrand Date: Thu, 29 Jun 2023 17:04:51 +0200 Subject: [PATCH] feat(config)!: handle dns_canonicalize_hostname=fallback setting --- config/krb5conf.go | 23 ++++++++++++++++++----- config/krb5conf_test.go | 8 ++++---- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/config/krb5conf.go b/config/krb5conf.go index bcfae8e1..563a380e 100644 --- a/config/krb5conf.go +++ b/config/krb5conf.go @@ -57,7 +57,7 @@ type LibDefaults struct { DefaultTktEnctypes []string //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 DefaultTGSEnctypeIDs []int32 //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 DefaultTktEnctypeIDs []int32 //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 - DNSCanonicalizeHostname bool //default true + DNSCanonicalizeHostname int //default true DNSLookupKDC bool //default false DNSLookupRealm bool ExtraAddresses []net.IP //Not implementing yet @@ -83,6 +83,12 @@ type LibDefaults struct { VerifyAPReqNofail bool //default false } +const ( + DNSCanonicalizeHostnameFalse = iota + DNSCanonicalizeHostnameTrue = iota + DNSCanonicalizeHostnameFallback = iota +) + // Create a new LibDefaults struct. func newLibDefaults() LibDefaults { uid := "0" @@ -102,7 +108,7 @@ func newLibDefaults() LibDefaults { DefaultKeytabName: "/etc/krb5.keytab", DefaultTGSEnctypes: []string{"aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1", "arcfour-hmac-md5", "camellia256-cts-cmac", "camellia128-cts-cmac", "des-cbc-crc", "des-cbc-md5", "des-cbc-md4"}, DefaultTktEnctypes: []string{"aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1", "arcfour-hmac-md5", "camellia256-cts-cmac", "camellia128-cts-cmac", "des-cbc-crc", "des-cbc-md5", "des-cbc-md4"}, - DNSCanonicalizeHostname: true, + DNSCanonicalizeHostname: DNSCanonicalizeHostnameTrue, K5LoginDirectory: hdir, KDCDefaultOptions: opts, KDCTimeSync: 1, @@ -176,10 +182,17 @@ func (l *LibDefaults) parseLines(lines []string) error { l.DefaultTktEnctypes = strings.Fields(p[1]) case "dns_canonicalize_hostname": v, err := parseBoolean(p[1]) - if err != nil { - return InvalidErrorf("libdefaults section line (%s): %v", line, err) + if err == nil { + if v { + l.DNSCanonicalizeHostname = DNSCanonicalizeHostnameTrue + } else { + l.DNSCanonicalizeHostname = DNSCanonicalizeHostnameFalse + } + } else if strings.TrimSpace(p[1]) == "fallback" { + l.DNSCanonicalizeHostname = DNSCanonicalizeHostnameFallback + } else { + return InvalidErrorf("libdefaults section line (%s)", line) } - l.DNSCanonicalizeHostname = v case "dns_lookup_kdc": v, err := parseBoolean(p[1]) if err != nil { diff --git a/config/krb5conf_test.go b/config/krb5conf_test.go index 306ec8f9..ac214860 100644 --- a/config/krb5conf_test.go +++ b/config/krb5conf_test.go @@ -60,7 +60,7 @@ const ( .test.gokrb5 = TEST.GOKRB5 #comment to be ignored test.gokrb5 = TEST.GOKRB5 ;comment to be ignored - + .example.com = EXAMPLE.COM # comment to be ignored hostname1.example.com = EXAMPLE.COM ; comment to be ignored hostname2.example.com = TEST.GOKRB5 @@ -111,7 +111,7 @@ const ( 18, 17 ], - "DNSCanonicalizeHostname": true, + "DNSCanonicalizeHostname": 1, "DNSLookupKDC": false, "DNSLookupRealm": false, "ExtraAddresses": null, @@ -354,7 +354,7 @@ const ( .test.gokrb5 = TEST.GOKRB5 test.gokrb5 = TEST.GOKRB5 - + .example.com = EXAMPLE.COM hostname1.example.com = EXAMPLE.COM hostname2.example.com = TEST.GOKRB5 @@ -423,7 +423,7 @@ const ( .test.gokrb5 = TEST.GOKRB5 test.gokrb5 = TEST.GOKRB5 - + .example.com = EXAMPLE.COM hostname1.example.com = EXAMPLE.COM hostname2.example.com = TEST.GOKRB5