On 03/18/2011 10:53 AM, Nalin Dahyabhai wrote:
On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote:
I'm trying to figure out what should happen in the following case;

A user goes to a website that they've never visited before.
The site is using Kerberos, and thus the browser gets back a
"Negotiate" response.

At this point, the browser chops the hostname off the URL and
requests the TXT record for "_kerberos."+domain
This gives the browser back the REALM.
The client will only consult DNS here if "dns_lookup_realm" is enabled
in the [libdefaults] section of your krb5.conf.

If the client's KDC is capable of issuing referrals and "knows" that the
web server host is a member of a particular realm, then the client will
trust that its KDC is pointing it in the right direction, regardless of
what's in DNS.

Now, there seems to be an understanding that the default REALM to
domain mapping should be  REALM.to_lower.

Now to find the KDC for the server, I can do a DNS query  for the
SRV record

"_kerberos._udp." + domain.
Section 7.2.3 of rfc4120 describes this in more detail.

However, when I have a krb5 conf setup that does not explicitly set
the kdc value below....

   kdc = ipa14.ayoung.boston.devel.redhat.com:88

...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
I've confirmed that I can query my IPA server's DNS server and get
the appropriate records.

Is there a step I am missing, or is this lookup no supported in the
library?  Is there some way I can better debug this?
Is your client configured to consult DNS in this way?  Specifically, is
"dns_lookup_kdc" enabled in the [libdefaults] section?

Both dns_lookup_kdc and dns_lookup_realm were set to false. Once I set them to true, it worked. Thanks.


Freeipa-devel mailing list

Reply via email to