Hi Petter, On Thu, Jul 04, 2013 at 10:56:29AM +0200, Petter Reinholdtsen wrote: > [Guido Günther] wrote: > > I'm not sure I'm following here. If you don't have a domain name fro > > from which domains SRV records would you expect the client to > > retrieve it's realm? > > In other scripts, I use a simple DNS lookup to find the server, > similar to this: > > pere@tjener:~$ host -t srv _kerberos._udp > _kerberos._udp.intern has SRV record 100 0 88 tjener.intern. > pere@tjener:~$
But where does the .intern come from? It needs to be appended somewhere and I assume that's missing with heimdal. Either there isn't a DNS domain or there is (assuming we're not talking about anything similar to mDNS .local)? > > > Can you show how MIT resolves the REALM and then the KDC in your > > case? > > Here is a tcpdump of port 53 (DNS) on the DNS server during a kinit > run: > > 10:48:13.740049 IP 10.0.16.22.60465 > tjener.intern.domain: 29355+ TXT? > _kerberos.ltsp4118. (36) > > 10:48:13.740459 IP tjener.intern.domain > 10.0.16.22.60465: 29355 NXDomain > 0/1/0 (111) > 10:48:13.741181 IP 10.0.16.22.57667 > tjener.intern.domain: 13656+ TXT? > _kerberos.intern. (34) > > 10:48:13.741397 IP tjener.intern.domain > 10.0.16.22.57667: 13656* 1/1/1 TXT > "INTERN" (90) > > 10:48:13.750393 IP 10.0.16.22.34855 > tjener.intern.domain: 1954+ SRV? > _kerberos._udp.INTERN. (39) > > 10:48:13.750882 IP tjener.intern.domain > 10.0.16.22.34855: 1954* 1/1/1 SRV > tjener.intern.:88 100 0 (102) > > 10:48:13.751803 IP 10.0.16.22.59974 > tjener.intern.domain: 41193+ SRV? > _kerberos._tcp.INTERN. (39) > > 10:48:13.752068 IP tjener.intern.domain > 10.0.16.22.59974: 41193 NXDomain* > 0/1/0 (87) > 10:48:13.757228 IP 10.0.16.22.50499 > tjener.intern.domain: 62806+ SRV? > _kerberos-master._udp.INTERN. (46) > > 10:48:13.757436 IP tjener.intern.domain > 10.0.16.22.50499: 62806* 1/1/1 SRV > tjener.intern.:88 100 0 (109) > > 10:48:20.076806 IP 10.0.16.22.51156 > tjener.intern.domain: 46661+ SRV? > _kerberos-master._udp.INTERN. (46) > > 10:48:20.077327 IP tjener.intern.domain > 10.0.16.22.51156: 46661* 1/1/1 SRV > tjener.intern.:88 100 0 (109) > > 10:48:20.078249 IP 10.0.16.22.59517 > tjener.intern.domain: 27354+ SRV? > _kerberos-master._tcp.INTERN. (46) > 10:48:20.078512 IP tjener.intern.domain > 10.0.16.22.59517: 27354 NXDomain* > 0/1/0 (94) > > As you can see, it first look up the realm using a TXT lookup, and > then find the servers using SRV lookups. Does it help to explain what > is going on? See above. Why should it query _kerberos.intern. ? I assume that if you set the realm to INTERN in krb5.conf things start to work? This looks more like a heimdal vs mit issue. I'm happy to help here out either but we'd better create a bug against heimdal on this one. Cheers, -- Guido > > -- > Happy hacking > Petter Reinholdtsen > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
