Re: DNS lookup for resolving domain to realm mapping works...but only after I modified the source code ?

[Lara Adianto <m1r4cle_26@yahoo.com>]

Hi Johan,

 

I haven't managed to make the client machine sends a request for the server's FQDN :-(
To simulate the scenario you described in the prev mail, I added a child domain of LARA_W2K.COM (a w2k domain and realm) called WIN.LARA_W2K.COM. A computer named test-machine is a member of WIN.LARA_W2K.COM, so the FQDN of this computer is test-machine.WIN.LARA_W2K.COM (as indicated in the properties of My Computer as Full Computer Name). Unfortunately, when another w2k machine which has authenticated to LARA_HMD.COM (a Kerberos realm) wants to access test-machine, the request is still sent as host/test-machine@LARA_HMD and not host/test-machine.WIN.LARA_W2K.COM !

 

How to make the client machine indicates the server's FQDN in its request to its KDC ? Is there any specific settings need to be done on client machine ?

 

> Suppose there's two domain served by your realm foo.com and
> bar.com. Now your client asks for host/test_w2kserver. How should the
> KDC know which of test_w2kserver.foo.com and test_w2kserver.bar.com is
> meant (assuming both exist)?
Does test_w2kserver.foo.com and test_w2kserver.bar.com refer to two different machines ?

-lara-

Johan Danielsson <joda@pdc.kth.se> wrote:

Lara Adianto writes:

> I read somewhere that the client is the one who's supposed to
> determine the realm of the server, but someone from MIT kerberos
> mailing list told me that microsoft changed the mechanism by assuming
> at the beginning that the server is in the same realm as the
> client. In this way, the client ALWAYS sends a request to its KDC with
> server target's realm equal to its own realm. and it is the KDC who
> must correct the client by issuing a cross-realm referral to the right
> realm

Yes.

> But if that's the way, how can heimdal kerberos handles windows'
> clients who always assume the server is in its own realm ?

By configuration in /etc/krb5.conf.

> I currently only use 2 realms: a Kerberos realm and a Windows
> realm. Both of them ar! e in a different domain.

But then can't you:

[domain_realm]
.non.windows.domain = NON.WINDOWS.REALM
.windows.domain = WINDOWS.REALM

on your KDC?

> Exactly, my client asks for host/test_w2kserver@REALM. Isn't it
> supposed to work this way ?

No, it should ask for the FQDN (fully qualified domain name) of the
server. I suppose this is a windows feature too.

> What do you mean by incomplete domain anyway ? I'm quite new to this
> whole concept of kerberos & dns

Suppose there's two domain served by your realm foo.com and
bar.com. Now your client asks for host/test_w2kserver. How should the
KDC know which of test_w2kserver.foo.com and test_w2kserver.bar.com is
meant (assuming both exist)?

/Johan

------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                 !
         
                                              - Guy de Maupassant -
------------------------------------------------------------------------------------

---

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today