[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS lookup for resolving domain to realm mapping works...but only after I modified the source code ?



Hi,

As far as I understand, heimdal-0.6 handles domain to
realm mapping in two ways:
- looking up the [domain_realm] section in
/etc/krb5.conf
- DNS lookup 

In my case, I would like to set up DNS for cross-realm
authentication, so that the Heimdal KDC 
will able to resolve the hostname to realm mapping
issue for issuing cross-realm referral 
ticket to access resources in other realm. 

Here is the scenario:
A client using a win2k machine named testw2k8
authenticates to LARA_HMD.COM (a kerberos realm).
Upon logon, the client wants to access resources in a
computer named test_w2kserver, a win2k
server machine located in LARA_W2K.COM (a win2k
domain). So, the client sends a request for server
HOST/test_w2kserver@LARA_HMD.COM. I supposed it is the
responsibility of the KDC to find out that
test_w2kserver is in fact in LARA_W2K.COM and not in
LARA_HMD.COM as the client has assumed.
Hence, we need to specify the mapping...

I've tried the first way, by inserting the following
entry under [domain_realm] 
section of /etc/krb5.conf:
test_w2kserver = LARA_W2K.COM
It works fine (client can access test_w2kserver) but I
supposed that manually inserting every possible
mapping is not efficient when the domain 
size is big. Therefore, I want to use DNS. I managed
to make it work BUT after modifying some parts of the
source code in lib/krb5/get_host_realm.c....

Now I'm wondering whether I'm doing the right thing
and hence would like to consult you the experts.

There are some issues that I would like to clarify:
1. According to /etc/krb5.conf man page, in order to
use DNS lookup for domain
to realm mapping, we need to set dns_lookup_realm =
yes. But the result of my experiment
revealed that setting dns_lookup_realm to yes didn't
give any effect. Function dns_find_realm in
lib/krb5/get_host_realm.c is not called at all. 
Is my observation right ? or do I miss some settings ?

2. I tried another method, to set:
test_w2kserver = dns_locate
to force dns_find_realm function to be called (again
it's supposed to be called by
krb5_get_host_realm_int() 
in lib/krb5/get_host_realm.c). But it's not called !.
Looking at the code, then I realised that it will
never be called because use_dns paramater being passed
from krb5_get_host_realm is set to 0.
So, if(use_dns) statement will always returns false !!
I finally modified the code to set use_dns to TRUE. Is
it the right way to do it ?

Then it works...
In conclusion, I made it work by changing the use_dns
parameter being passed from krb5_get_host_realm() to
krb5_get_host_realm_int to value 1, to bypass
if(use_dns).
What do you think ?

3. Is there any other way to make DNS lookup to work
beside setting 'computer name' = dns_locate ? This
will be painful if I have to do it for every computer
in the domain. Not to mention if there are many
domains...

4. I wonder in what way the DNS works to resolve the
mapping ?
I thought that the resolving the mapping will be done
this way:
_kerberos.test_w2kserver.lara_hmd.com.
_kerberos.lara_hmd.com.
_kerberos.com.

But my dns lookup works upon inserting the following
entry in my master setup:
_kerberos.test_w2kserver.	IN	TXT	LARA_HMD.COM
In other words the above three entries result in
server not found. 

I hope that my mail is clear enough for you to
understand what I've done.

Regards,
Lara

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/