I'm trying to figure out what should happen in the following case;
A user goes to a website that they've never visited before.
The site is using Kerberos, and thus the browser gets back a "Negotiate"
response.
At this point, the browser chops the hostname off the URL and requests
the TXT record for "_kerberos."+domain
This gives the browser back the REALM.
Now, there seems to be an understanding that the default REALM to domain
mapping should be REALM.to_lower.
Now to find the KDC for the server, I can do a DNS query for the SRV
record
"_kerberos._udp." + domain.
However, when I have a krb5 conf setup that does not explicitly set the
kdc value below....
[realms]
AYOUNG.BOSTON.DEVEL.REDHAT.COM = {
kdc = ipa14.ayoung.boston.devel.redhat.com:88
}
...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
I've confirmed that I can query my IPA server's DNS server and get the
appropriate records.
Is there a step I am missing, or is this lookup no supported in the
library? Is there some way I can better debug this?
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel