Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
On Sun, 14 Mar 2010 19:12:33 +1100 Brian May br...@microcomaustralia.com.au wrote: 2010/3/14 Denis Feklushkin denis.feklush...@gmail.com: I thought that if no realms provided by krb5.conf then DNS domain with srv record will be default realm The SRV record doesn't contain the realm, it contains the servers. Heimdal can't contact the server until it knows the realm. http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-DNS.html Heimdal will try to use DNS to find the KDCs for a realm. First it will try to find a SRV resource record (RR) for the realm. If no SRV RRs are found, it will fall back to looking for an A RR for a machine named kerberos.REALM, and then kerberos-1.REALM, etc Adding this information to DNS minimises the client configuration (in the common case, resulting in no configuration needed) Here I am just about and allows the system administrator to change the number of KDCs and on what machines they are running without caring about clients. Maybe you are thinking of TXT records? See: http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-DNS.html Note, if I am reading this correctly, each client host requires its own TXT record. http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzakh/rzakhdefinerealmsdns.htm Add TXT records to associate host names with realm names. The Kerberos protocol searches for a TXT record starting with the host name. If no TXT record is found, the first label is removed and the search is retried with the new name. This process continues until a TXT record is found or the root is reached. Note that the realm name is case-sensitive in the TXT record. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
On Sun, 14 Mar 2010 18:15:44 +0700 Denis Feklushkin denis.feklush...@gmail.com wrote: On Sun, 14 Mar 2010 19:12:33 +1100 Brian May br...@microcomaustralia.com.au wrote: 2010/3/14 Denis Feklushkin denis.feklush...@gmail.com: I thought that if no realms provided by krb5.conf then DNS domain with srv record will be default realm The SRV record doesn't contain the realm, it contains the servers. Heimdal can't contact the server until it knows the realm. http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-DNS.html Heimdal will try to use DNS to find the KDCs for a realm. ...and I suggest that if the default realm is not found (krb5.conf does not exist, for example) fqdn is used as realm name and the default realm name too First it will try to find a SRV resource record (RR) for the realm. If no SRV RRs are found, it will fall back to looking for an A RR for a machine named kerberos.REALM, and then kerberos-1.REALM, etc Adding this information to DNS minimises the client configuration (in the common case, resulting in no configuration needed) Here I am just about and allows the system administrator to change the number of KDCs and on what machines they are running without caring about clients. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
2010/2/25 Denis Feklushkin denis.feklush...@gmail.com: I want to get kerberos configuration via DNS for all my machines. Sorry, I think you have lost me. How do you want Heimdal to work out the default realm? The dns domain name comes from information you have already supplied in /etc/resolv.conf and/or /etc/hostname. -- Brian May br...@microcomaustralia.com.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
2010/2/25 Denis Feklushkin denis.feklush...@gmail.com: Thus, kerberos configuration can't be done without creating config files? I couldn't reproduce the problem myself; I will try again tomorrow without the config file. Normally the config file should be automatically created by the krb5-config package, which should automatically get installed on your system. -- Brian May br...@microcomaustralia.com.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
On Thu, 25 Feb 2010 19:24:08 +1100 Brian May br...@microcomaustralia.com.au wrote: 2010/2/25 Denis Feklushkin denis.feklush...@gmail.com: Thus, kerberos configuration can't be done without creating config files? I couldn't reproduce the problem myself; I will try again tomorrow without the config file. Normally the config file should be automatically created by the krb5-config package, which should automatically get installed on your system. It is created. I thought if I delete it then everything will be fine. Apparently, the minimal config to be so, even if you use the setup through DNS: [libdefaults] default_realm = realm About config deletion: I thought that this would automate the configuration of kerberos for all machines, I want to get kerberos configuration via DNS for all my machines. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
Package: libkrb5-25-heimdal Version: 1.2.dfsg.1-2.1 Severity: important Heimdal uses hostname instead of fqdn as realm name. I'm not a expert in kerberos but I think this is incorrect behavior. For example, my host is db.h-g.com, realm H-G.COM and kerberos configured by DNS SRV records: sh-4.0# hostname db sh-4.0# hostname db sh-4.0# dnsdomainname h-g.com sh-4.0# hostname -f db.h-g.com sh-4.0# kinit norma kinit: krb5_parse_name: unable to find realm of host db sh-4.0# hostname db.h-g.com sh-4.0# hostname db.h-g.com sh-4.0# hostname -f db.h-g.com sh-4.0# dnsdomainname h-g.com sh-4.0# kinit norma no...@h-g.com's Password: sh-4.0# The problem does not occur if in the /etc/hostname fqdn specified, but 'man hostname' says: /etc/hostname This file should only contain domain name and not the full FQDN My DNS SRV settings: $ dig srv _kerberos._udp.h-g.com ; DiG 9.6.1-P1 srv _kerberos._udp.h-g.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23562 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;_kerberos._udp.h-g.com.IN SRV ;; ANSWER SECTION: _kerberos._udp.h-g.com. 3600 IN SRV 10 10 88 kerberos.h-g.com. ;; AUTHORITY SECTION: h-g.com.3600IN NS ns1.h-g.com. ;; ADDITIONAL SECTION: kerberos.h-g.com. 3600IN A 192.168.1.75 ns1.h-g.com.3600IN A 192.168.1.75 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 24 22:36:11 2010 ;; MSG SIZE rcvd: 134 -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libkrb5-25-heimdal depends on: ii libasn1-8-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - ASN.1 library ii libc6 2.9-25 GNU C Library: Shared libraries ii libcomerr21.41.9-1 common error description library ii libhx509-3-heimdal1.2.dfsg.1-2.1 Heimdal Kerberos - X509 support li ii libroken18-heimdal1.2.dfsg.1-2.1 Heimdal Kerberos - roken support l ii libssl0.9.8 0.9.8k-7 SSL shared libraries ii libwind0-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - NTLM support li libkrb5-25-heimdal recommends no packages. libkrb5-25-heimdal suggests no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
2010/2/25 Denis Feklushkin denis.feklush...@gmail.com: Heimdal uses hostname instead of fqdn as realm name. I'm not a expert in kerberos but I think this is incorrect behavior. Hello, Can you please show me your /etc/krb5.conf file? What happens if you type in kinit no...@h-g.com - does that work? Thanks -- Brian May br...@microcomaustralia.com.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571244: libkrb5-25-heimdal: heimdal uses hostname instead of fqdn as realm name
On Thu, 25 Feb 2010 14:25:45 +1100 Brian May br...@microcomaustralia.com.au wrote: 2010/2/25 Denis Feklushkin denis.feklush...@gmail.com: Heimdal uses hostname instead of fqdn as realm name. I'm not a expert in kerberos but I think this is incorrect behavior. Hello, Can you please show me your /etc/krb5.conf file? After creating this file everything works! [libdefaults] default_realm = H-G.COM But my idea was a configuration without config files What happens if you type in kinit no...@h-g.com - does that work? # kinit no...@h-g.com no...@h-g.com's Password: (that works without /etc/krb5.conf) Thus, kerberos configuration can't be done without creating config files? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org