[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS lookup for resolving domain to realm mapping works...but only after I modified the source code ?

This is an excerpts from a paper by Jonathan Trostle,
Irina Kosinovsky and Michael Swift, titled
Implementation of Crossrealm Referral Handling in the
MIT Kerberos Client: 

"Short names are the names users sometimes input to
iden- tify servers. For example, "telnet foo" could be
short for "telnet foo.example.org". The client is then
left with two options: send the short name to the KDC,
or perform a limited amount of name canonicaliza- tion
locally. The MIT Kerberos approach to
name-canonicalization solves the problem of obtaining
the long name by using DNS reverse lookups. Unfortu-
nately, this approach depends on the security of DNS. 
The Windows 2000 client does not canonicalize names at
all, so the short name is sent to the KDC. 
(In the Windows 2000 case, this design decision was
driven by the desire for backwards compatibility with
Net- bios which has a flat namespace of hostnames,
thus increasing the chances that short names are

Any comments ? I supposed that in this case it is
really the responsibility of KDC to resolve the
'finding the correct realm' issue. I'm still clueless
how this is done by the Heimdal KDC...
Creating a one to one mapping between each server's
short name and the realm (either in DNS or krb5.conf)
will do but this approache will requires a large
amount of work to do.

Perhaps somebody who has worked this out can give me a
hints ?


--- Johan Danielsson <joda@pdc.kth.se> wrote:
> Lara Adianto <m1r4cle_26@yahoo.com> writes:
> > Unfortunately, when another w2k machine which has
> authenticated to
> > LARA_HMD.COM (a Kerberos realm) wants to access
> test-machine, the
> > request is still sent as
> host/test-machine@LARA_HMD and not
> > host/test-machine.WIN.LARA_W2K.COM !
> I'm afraid I know too little about how windows
> works, but when you say
> you've create a child domain, does that mean that
> you've clicked on
> some "create child domain" button somewhere, or did
> you created it
> from scratch? I suppose that in the former case, the
> domain controller
> somehow thinks it knows things about this other
> domain. But like I
> said, I really have no clue.
> > How to make the client machine indicates the
> server's FQDN in its
> > request to its KDC ? Is there any specific
> settings need to be done
> > on client machine ?
> I have no idea.
> >> Suppose there's two domain served by your realm
> foo.com and
> >> bar.com. Now your client asks for
> host/test_w2kserver. How should
> >> the KDC know which of test_w2kserver.foo.com and
> >> test_w2kserver.bar.com is meant (assuming both
> exist)?
> > Does test_w2kserver.foo.com and
> test_w2kserver.bar.com refer to two
> > different machines ? 
> Well yes, but it doesn't really matter. Neither the
> client nor the KDC
> can know if they are in fact the same physical
> machine or not.
> /Johan

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway