[Freeipa-users] Problem with KRB DNS discovery (i think)

Tomasz 'Zen' Napierala tomasz.napierala at allegro.pl
Wed Nov 25 19:39:03 UTC 2009 

Dnia 2009-11-25, śro o godzinie 19:32 +0100, Nalin Dahyabhai pisze:
> On Wed, Nov 25, 2009 at 06:42:16PM +0100, Tomasz 'Zen' Napierala wrote:
> > Dnia 2009-11-25, śro o godzinie 15:50 +0100, Tomasz Z. Napierala pisze:
> > > Hi,
> > > 
> > > I'm getting problems installing clients with default ipa-client-install
> > > values. Relam and domain are both discovered successfully but then after
> > > issuing kinit admin I'm getting:
> > > 
> > > kinit(v5): Cannot resolve network address for KDC in realm QXLTECH while
> > > getting initial credentials
> > > 
> > > My krb5.conf looks like this:
> > > [libdefaults]
> > >   default_realm = QXLTECH
> > >   dns_lookup_realm = true
> > >   dns_lookup_kdc = true
> > >   ticket_lifetime = 24h
> > >   forwardable = yes
> > > 
> > > [domain_realm]
> > >   .dc2 = QXLTECH
> > >   dc2 = QXLTECH
> [snip]
> > I dogged little bit deeper and straced kinit. It looks like kinit is
> > picking up wrong domain name.
> > My realm is QXLTECH but domain name .dc2 or .dc3 Kinit is requesting
> > _kerberos._tcp.QXLTECH
> > How can I change it?
> 
> I wouldn't recommend trying, not exactly.  The client's doing what the
> standards say it should, but that might be confusing in cases where the
> realm name and domain name are different because the query is based on
> the realm name and not the domain name.  To understand it, it's useful
> to know that there are two kinds of DNS queries being made here:
> 
> 1. Kerberos is using DNS to figure out the name of the realm to which a
>    given host belongs, and for that it's going to use the hostname and
>    domain name to form its queries.  For the configuration you provided,
>    the records in DNS would probably look something like this:
>      _kerberos.dc2.                 IN TXT "QXLTECH"
> 
> 2. Kerberos is using DNS to get the hostname of a KDC for the realm.
>    The important detail is that it uses the realm name and not a domain
>    name to form the query, and I suspect that's what's missing in your
>    setup.  The records in DNS are regular SRV records, and they'd
>    probably look like this:
>      _kerberos._udp.qxltech.        IN SRV 0 0  88 kdc-host.dc2.
>      _kerberos._tcp.qxltech.        IN SRV 0 0  88 kdc-host.dc2.
>      _kerberos-master._udp.qxltech. IN SRV 0 0  88 kdc-host.dc2.
>      _kerberos-master._tcp.qxltech. IN SRV 0 0  88 kdc-host.dc2.
>      _kpasswd._udp.qxltech.         IN SRV 0 0 464 kdc-host.dc2.
>      _kpasswd._tcp.qxltech.         IN SRV 0 0 464 kdc-host.dc2.
> 
> It's pretty common to have the DNS domain name and the Kerberos realm
> name differ only by case (for example, "example.com" as a domain name,
> and "EXAMPLE.COM" as the realm), or to have the domain name look like a
> subdomain of the realm name (for example, "devel.example.com" for the
> domain name, "EXAMPLE.COM" for the realm) so most people end up not
> having to care that the second case uses the realm rather than the DNS
> domain name.  But it looks as though, in your configuration, you do.

Thanks for thorough explanation, I was just thinkign of examining MIT
krb sources to figure out what is being taken into account when
requesting kdc servers form DNS. That would be possibly hard, as I'm
rather C illiterate ;)
I'll modify DNS configuration in more thinking friendly hours, ale let
you know of the outcome.
Thanks again, that sounds like my issue indeed.

Regards,
-- 
Tomasz Z. Napierała
Systems Architecture Engineer,
IT Infrastructure Department
Allegro Team
http://www.allegro.pl/

QXL Poland sp. z o.o.
ul. Marcelińska 90, 60-324 Poznań
NIP 779-21-25-257;
Sąd Rejonowy Poznań - Nowe Miasto i Wilda w Poznaniu, Wydział VIII
Gospodarczy
KRS nr 0000104322
Kapitał zakładowy: 1.046.000 zł.

More information about the Freeipa-users mailing list