Re: no PTR is needed for TGS-Req in openjdk7?

Tue, 10 Jul 2012 23:31:39 -0700 

On 07/10/2012 04:30 PM, Weijun Wang wrote:

Hi Roy
In JDK 6 we canonicalize the service host name before requesting for a service ticket. In JDK 7 we don't, for security reasons, see http://tools.ietf.org/html/rfc4120#section-1.3. But I don't see how it affects locating the KDC.
Another change is that we always use DNS to locate a KDC if there is none in krb5.conf, i.e. dns_lookup_kdc's default value is now regarded true. 

Can you be more specific? tcp dumps are always welcomed.


Attached 2 dumps for each jdk.
My krb5.conf has dns_lookup_kdc = true and my KDC is also specified in the domain section.
We have an active directory server which is also the DNS server. The SRV records are all fine and point to the right KDC and LDAP.
Resolving the KDC address is not a problem but we must have back resolving too (as for jdk6...). To do that I have put a record in my /etc/hosts 10.35.64.1 xxqa1.qa.lab###. I'm intentionally putting a wrong record off course, just to proof the behavior.
look at the dumps and you will see that jdk6 used the record in /etc/hosts in the KDC_REQ_BODY so the request is for server ldap/xxqa1.qa.lab### and jdk7 just uses the correct ldap/qa1.qa.lab#### 




-Max

On 07/10/2012 06:08 PM, Roy Golan wrote:

I all,

In our project (www.ovirt.org) we do some kerberos authentication and
we've seen different behavior between jdk6 and 7 in the process
of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record
for our KDC to run while using jdk7 we see its ignoring it.
To check it we have put a wrong record in /etc/hosts for our KDC server,
say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com and 
we saw that jdk6 is failing with PRINCIPAL_UKNOWN . the PRINCIPAL in
jdk6 is 1.1.1.1/wrongkdc.example.com and with
jdk7 is 1.1.1.1/kdc.example.com which is why it works.

is this a change is by design or maybe a bug? can someone explain if
there is no intent
of using reverse records (PTR) for the PRINCIPAL in TGS requests?

I can supply tcp dumps if that will help to shed light here.

Thanks,
Roy

Attachment: jdk7.kerberos.cap
Description: application/vnd.tcpdump.pcap

Attachment: jdk6.kerberos.cap
Description: application/vnd.tcpdump.pcap

Reply via email to