Why are `rdns` and `dns_canonicalize_hostnames` invalid krb5.conf libdefault parameters?

averyfreeman

averyfreeman

Contributor
Joined
Feb 8, 2015
Messages
164
Hi,

I have a working idmap_ad AD setup that uses my domain's rfc2307 parameters from Windows Server LTSC 2019. I'm happy with it so far with default settings, as most parameters I had initially wanted to add I noticed are already enabled in /etc/krb5.conf. There were a few additional parameters I wanted to list under libdefaults, specifically:

Code:
default_realm = WEBTOOL.SPACE
proxiable = true
dns_canonicalize_hostname = true
rdns = true



I thought this was a syntax error at first, so I tried some different ways of entering the parameters, such as JSON-style, like this:

Code:
{
"default_realm": "WEBTOOL.SPACE",
"proxiable": "true",
"dns_canonicalize_hostname": "true",
"rdns: true"
}


Here's the exact error I received:

Code:
Error: Traceback (most recent call last):  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 176, in call_method    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1293, in _call    return await methodobj(*prepared_call.args)
  File "/usr/lib/python3/dist-packages/middlewared/service.py", line 574, in update    rv = await self.middleware._call(
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1293, in _call    return await methodobj(*prepared_call.args)
  File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1140, in nf    res = await f(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1272, in nf    return await func(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py", line 143, in do_update    verrors.check()
  File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 62, in check    raise self middlewared.service_exception.Validation
Errors: [EINVAL] kerberos_settings_update.kerberos_libdefaults: dns_canonicalize_hostname  is an invalid libdefaults parameter. [EINVAL] kerberos_settings_update.kerberos_libdefaults: rdns  is an invalid libdefaults parameter.



After I read the error more carefully, I realized only two of the parameters I wanted to add are being flagged as invalid, so I took them out, and the remaining two I left were accepted. Not a syntax error at all.

So my question now is, why are the libdefaults parameters rdns = $BOOL and dns_canonicalize_hostnames = $BOOL not accepted for krb5.conf? AFAICT these are acceptable parameters to invoke, according to the documentation you reference, krb.conf(5): https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

Much obliged
 
Samuel Tai

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399
averyfreeman

averyfreeman

Contributor
Joined
Feb 8, 2015
Messages
164
Thank you to mod who moved my question, apparently I cannot forum.

@Samuel Tai
Samuel Tai said:
@anodos, do you have any insight on this? Looking at the code for kerberos.py, those 2 options are deliberately omitted.

github.com

middleware/src/middlewared/middlewared/plugins/kerberos.py at master · truenas/middleware

TrueNAS CORE/Enterprise/SCALE Middleware Git Repository - truenas/middleware
github.com github.com
Click to expand...

My first [purely speculative] guess would be an effort to prevent [even more] support tickets from people with misconfigured .in-addr.arpa. They are likely not very important, and could be more trouble than they're worth (from an aggregate ticket management viewpoint).

I'm not having a bad time without them so I'm not upset or anything, mostly curious TBH. Of course, now you've got weirdos like me asking what's up even when all my stuff still works, so ... you're screwed coming and going ...
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Last edited:
Samuel Tai

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399
Yes, but this is on Scale. Does Scale also use Heimdall Kerberos for codebase unification with Core?
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Why are `rdns` and `dns_canonicalize_hostnames` invalid krb5.conf libdefault parameters?"

Similar threads

MediJaster
SOLVED Can't create a VM
Replies
2
Views
2K
MediJaster
MediJaster
H
my app is normal before upgrade to TrueNAS-SCALE-22.12.1,but they all can't start now.
Replies
3
Views
3K
LarsR
L
N
Plex docker app can't upgrade
Replies
1
Views
2K
nickspacemonkey
nickspacemonkey
jafin
Cannot export pool - [EFAULT] pool or dataset is busy - [TrueNAS-SCALE-22.02.3]
Replies
2
Views
9K
jafin
jafin
Kasazn
[EINVAL] values.persistence.config.type, [EINVAL] persistenceListEntry.type:
Replies
15
Views
11K
truecharts
truecharts
Top