Giters

jcmturner / gokrb5

Pure Go Kerberos library for clients and services

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Go 1.20.x: Inconsistent LookupCNAME breaks TGS Exchange (KDC_ERR_S_PRINCIPAL_UNKNOWN)

jbvmio opened this issue · comments

commented

This is mostly PSA.

Changes introduced in Go version 1.20 has made the net.LookupCNAME function unreliable or, at least, inconsistent from previous versions of Go on Unix systems.

Example:
https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L165

Change:
https://go-review.googlesource.com/c/go/+/446179

Issue:
I have confirmed, first hand, this breaks existing applications using gokrb5 when DNS responds with multiple CNAMEs. As noted here: golang/go#50101 (comment)

The behavior is inconsistent, sometimes the correct canonical name is returned and everything functions normally. When the incorrect name is returned a KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - UNKNOWN_SERVER will occur when initiating outbound security context.
https://github.com/jcmturner/gokrb5/blob/v8.4.4/spnego/http.go#L181

Workaround:
For now, compile using a Go version prior to 1.20

Additional Resources:
golang/go#59943
golang/go#50101