[Freeipa-devel] Determine KDC for a website
Adam Young
ayoung at redhat.com
Fri Mar 18 00:03:14 UTC 2011
I'm trying to figure out what should happen in the following case;
A user goes to a website that they've never visited before.
The site is using Kerberos, and thus the browser gets back a "Negotiate"
response.
At this point, the browser chops the hostname off the URL and requests
the TXT record for "_kerberos."+domain
This gives the browser back the REALM.
Now, there seems to be an understanding that the default REALM to domain
mapping should be REALM.to_lower.
Now to find the KDC for the server, I can do a DNS query for the SRV
record
"_kerberos._udp." + domain.
However, when I have a krb5 conf setup that does not explicitly set the
kdc value below....
[realms]
AYOUNG.BOSTON.DEVEL.REDHAT.COM = {
kdc = ipa14.ayoung.boston.devel.redhat.com:88
}
...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
I've confirmed that I can query my IPA server's DNS server and get the
appropriate records.
Is there a step I am missing, or is this lookup no supported in the
library? Is there some way I can better debug this?
More information about the Freeipa-devel
mailing list