[Freeipa-devel] Determine KDC for a website
Martin Kosek
mkosek at redhat.com
Fri Mar 18 09:04:27 UTC 2011
On Thu, 2011-03-17 at 20:03 -0400, Adam Young wrote:
> I'm trying to figure out what should happen in the following case;
>
>
> A user goes to a website that they've never visited before.
> The site is using Kerberos, and thus the browser gets back a "Negotiate"
> response.
>
> At this point, the browser chops the hostname off the URL and requests
> the TXT record for "_kerberos."+domain
> This gives the browser back the REALM.
>
>
> Now, there seems to be an understanding that the default REALM to domain
> mapping should be REALM.to_lower.
Yeah, Kerberos does this. This resulted in #1100 yesterday.
>
> Now to find the KDC for the server, I can do a DNS query for the SRV
> record
>
> "_kerberos._udp." + domain.
Correct.
>
>
> However, when I have a krb5 conf setup that does not explicitly set the
> kdc value below....
>
> [realms]
> AYOUNG.BOSTON.DEVEL.REDHAT.COM = {
> kdc = ipa14.ayoung.boston.devel.redhat.com:88
> }
Hm... This is what a configuration that IPA client installation produces
and for which KDC autodiscovery works for me:
[libdefaults]
default_realm = TESTRELM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTRELM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.idm.lab.bos.redhat.com = TESTRELM
idm.lab.bos.redhat.com = TESTRELM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
> ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
> I've confirmed that I can query my IPA server's DNS server and get the
> appropriate records.
>
> Is there a step I am missing, or is this lookup no supported in the
> library? Is there some way I can better debug this?
What does your DNS log shows? I enabled DNS queries to be logged in my
"named" and `kinit admin at TESTRELM` with the above configuration made the
following queries:
18-Mar-2011 10:00:50.617 client 10.16.78.142#51316: query: _kerberos._udp.TESTRELM IN SRV + (10.16.78.111)
18-Mar-2011 10:00:50.621 client 10.16.78.142#60264: query: kdc.testrelm IN A + (10.16.78.111)
18-Mar-2011 10:00:50.621 client 10.16.78.142#60264: query: kdc.testrelm IN AAAA + (10.16.78.111)
18-Mar-2011 10:00:50.622 client 10.16.78.142#35208: query: _kerberos._tcp.TESTRELM IN SRV + (10.16.78.111)
18-Mar-2011 10:00:50.628 client 10.16.78.142#54654: query: _kerberos-master._udp.TESTRELM IN SRV + (10.16.78.111)
18-Mar-2011 10:00:50.630 client 10.16.78.142#54235: query: kdc.testrelm IN A + (10.16.78.111)
18-Mar-2011 10:00:50.649 client 10.16.78.142#49681: query: _kerberos-master._udp.TESTRELM IN SRV + (10.16.78.111)
18-Mar-2011 10:00:50.650 client 10.16.78.142#57950: query: _kerberos-master._tcp.TESTRELM IN SRV + (10.16.78.111)
18-Mar-2011 10:00:51.062 client 10.16.78.142#54733: query: vm-111.idm.lab.bos.redhat.com IN A + (10.16.78.111)
18-Mar-2011 10:00:51.063 client 10.16.78.142#46147: query: 111.78.16.10.in-addr.arpa IN PTR + (10.16.78.111)
...
And it successfully logs to Kerberos realm.
Martin
More information about the Freeipa-devel
mailing list