[Freeipa-devel] Determine KDC for a website
Nalin Dahyabhai
nalin at redhat.com
Fri Mar 18 14:53:43 UTC 2011
On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote:
> I'm trying to figure out what should happen in the following case;
>
> A user goes to a website that they've never visited before.
> The site is using Kerberos, and thus the browser gets back a
> "Negotiate" response.
>
> At this point, the browser chops the hostname off the URL and
> requests the TXT record for "_kerberos."+domain
> This gives the browser back the REALM.
The client will only consult DNS here if "dns_lookup_realm" is enabled
in the [libdefaults] section of your krb5.conf.
If the client's KDC is capable of issuing referrals and "knows" that the
web server host is a member of a particular realm, then the client will
trust that its KDC is pointing it in the right direction, regardless of
what's in DNS.
> Now, there seems to be an understanding that the default REALM to
> domain mapping should be REALM.to_lower.
>
> Now to find the KDC for the server, I can do a DNS query for the
> SRV record
>
> "_kerberos._udp." + domain.
Section 7.2.3 of rfc4120 describes this in more detail.
> However, when I have a krb5 conf setup that does not explicitly set
> the kdc value below....
>
> [realms]
> AYOUNG.BOSTON.DEVEL.REDHAT.COM = {
> kdc = ipa14.ayoung.boston.devel.redhat.com:88
> }
>
> ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
> I've confirmed that I can query my IPA server's DNS server and get
> the appropriate records.
>
> Is there a step I am missing, or is this lookup no supported in the
> library? Is there some way I can better debug this?
Is your client configured to consult DNS in this way? Specifically, is
"dns_lookup_kdc" enabled in the [libdefaults] section?
HTH,
Nalin
More information about the Freeipa-devel
mailing list