I would work to get forward/reverse DNS consistent rather than attempting to configure around this.
But for reference's sake, the JGSS catalogs its supported settings is here: "Supported krb5.conf Settings" http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html rdns is not available, there is a "noaddresses" but that seems to be more for NAT handling. On Mon, May 15, 2017 at 10:56 AM, Greg Hudson <ghud...@mit.edu> wrote: > On 05/15/2017 06:43 AM, Matt Darwin wrote: > > So it looks like the client is sending > > > > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com > > > > as the SnameString (presumably the SPN), when it should be sending: > > > > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com > > I don't appear to have access to your DNS information from here. My > guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the > result of a PTR query on the IP address of the server, while > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record > name. > > If I'm right about that, what you're looking for is a way to get the JVM > Kerberos implementation to suppress the reverse DNS lookup when > canonicalizing the server name. In MIT krb5, that would be accomplished > with the "rdns" setting in krb5.conf; for details, see: > > http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html > > It's possible that the same setting might work for the Java > implementation, but I'm not certain. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
