[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain to realm mappings and DNS (probably a bug)

On Thu, 22 Apr 2004, Henry B. Hotz wrote:

> >>> However, if I give it a realm it ignores the lookup and thus if I
> >>
> >> I think you are describing correct behavior.  If you tell it what
> >> realm
> >> to use you don't want it doing a DNS lookup behind your back (and
> >> getting info from a spoofed DNS).
> >
> > Well, since it gets the info on which servers to contact using DNS,
> > why not get the info on what the real realm name is from the DNS???
> Because if you are doing a kinit on machine home.dsl.net how is it to
> know that you want a ticket from the WORK.COM realm?

Because I say "kauth/kinit someone@work.com" ?

Given that there are no entries in files it will do DNS lookups in the
work.com DNS-domain to find the kerberos server to talk to. Given that
it's going to make the mapping to the kerberos servers, what's the
fault in doing the lookup to make the mapping to the correct realm?

Ie, the behaviour I find reasonable is
* User wants a ticket for someone@realm
* If realm isn't mentioned in config and DNS-queries are enabled, do
  DNS lookup of real realm name
* Ask user for the password (prompting the obtained realm name)
* Proceed with lookups for kerberos servers as the current code (ie
  from config or fallback to DNS).

This way I can't see why it should hurt anyone that has realm mapping
in their krb5.conf, and it should be less confusing for the occasional

 Niklas Edmundsson, Admin @ {acc,hpc2n,ing}.umu.se    |   nikke@acc.umu.se
 Yes dear, one more star WILL fit on that collar