krb5

Tue, 17 Oct 2017 15:08:17 -0700 

I am using the krb5-1.12.5 port that comes with openSUSE 42.3. Recently
the SuSE distro changed their krb5.conf to include

        dns_canonicalize_hostname = false
        rdns = false

This was supposedly for security, so I applied the above to my own
krb5.conf. However, this change broke kprop. On the Kerberos master host
alpha.sub.killian.com (192.168.1.5) I did

# kinit root/admin
# kprop -f KILLIAN.COM.dump -ddd beta.killian.com
kprop: Client not found in Kerberos database while getting initial ticket

I then find in the KRB5_TRACE file:

[24229] 1508275209.426788: Convert service (null) (service with host as 
instance) on host (null) to principal
[24229] 1508275209.426802: Remote host after reverse DNS processing: alpha
[24229] 1508275209.426814: Got service principal host/alpha@
[24229] 1508275209.426821: Initializing MEMORY:_kproptkt with default princ 
host/al...@killian.com
[24229] 1508275209.426826: Convert service host (service with host as instance) 
on host beta.killian.com to principal
[24229] 1508275209.426828: Remote host after reverse DNS processing: 
beta.killian.com
[24229] 1508275209.426832: Got service principal 
host/beta.killian....@killian.com
[24229] 1508275209.426842: Getting initial credentials for 
host/al...@killian.com
[24229] 1508275209.426872: Setting initial creds service to 
host/beta.killian....@killian.com
[24229] 1508275209.426905: Sending request (164 bytes) to KILLIAN.COM
[24229] 1508275209.426928: Resolving hostname alpha.sub.killian.com
[24229] 1508275209.427107: Sending initial UDP request to dgram 192.168.1.5:88
[24229] 1508275209.427221: Received answer (182 bytes) from dgram 192.168.1.5:88
[24229] 1508275209.427233: Response was not from master KDC
[24229] 1508275209.427242: Received error from KDC: -1765328378/Client not 
found in Kerberos database
[24229] 1508275209.427264: Destroying ccache MEMORY:_kproptkt

So it appears that it is not using the FQDN for the initiating host when
determining a principal (see the 4th line above where it says
"host/alpha" instead of "host/alpha.sub.killian.com").

So obviously I removed the two new "security" lines from my krb5.conf to
restore things to a working situation. However, I would like to inquire
of the mailing list how things are supposed to work when those are set
to false as in the openSUSE distro.

-Earl




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to