[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: domain to realm mappings and DNS (probably a bug)
On Apr 22, 2004, at 10:40 PM, Niklas Edmundsson wrote:
> On Thu, 22 Apr 2004, Henry B. Hotz wrote:
>>>>> However, if I give it a realm it ignores the lookup and thus if I
>>>> I think you are describing correct behavior. If you tell it what
>>>> realm to use you don't want it doing a DNS lookup behind your back
>>>> getting info from a spoofed DNS).
>>> Well, since it gets the info on which servers to contact using DNS,
>>> why not get the info on what the real realm name is from the DNS???
>> Because if you are doing a kinit on machine home.dsl.net how is it to
>> know that you want a ticket from the WORK.COM realm?
> Because I say "kauth/kinit firstname.lastname@example.org" ?
Hmmm. I didn't keep your original post around. I thought you were
complaining about it not finding the realm when you *didn't* tell it
the realm. If you tell it the realm it should skip the TXT record
lookup to find out the realm because you already told it. It *should*
still do a DNS lookup for the specific service you want (kpasswd,
kadmin or normal auth), though the examples I've seen were Sun and MIT
code. (Presuming no entries in krb5.conf.)
> Given that there are no entries in files it will do DNS lookups in the
> work.com DNS-domain to find the kerberos server to talk to. Given that
> it's going to make the mapping to the kerberos servers, what's the
> fault in doing the lookup to make the mapping to the correct realm?
> Ie, the behaviour I find reasonable is
> * User wants a ticket for someone@realm
> * If realm isn't mentioned in config and DNS-queries are enabled, do
> DNS lookup of real realm name
This point doesn't make sense to me. The real realm is what you told
it. That's someone@realm, not someone@domain that you typed after all.
The only lookup is for where the kdc(s) for realm is(are), not what
the realm is.
> * Ask user for the password (prompting the obtained realm name)
> * Proceed with lookups for kerberos servers as the current code (ie
> from config or fallback to DNS).
> This way I can't see why it should hurt anyone that has realm mapping
> in their krb5.conf, and it should be less confusing for the occasional
Well, *I'm* confused. ;-)
In the ideal world realm == domain so it's a non-issue.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com