[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain to realm mappings and DNS (probably a bug)

On Apr 22, 2004, at 10:40 PM, Niklas Edmundsson wrote:

> On Thu, 22 Apr 2004, Henry B. Hotz wrote:
>>>>> However, if I give it a realm it ignores the lookup and thus if I
>>>> I think you are describing correct behavior.  If you tell it what
>>>> realm to use you don't want it doing a DNS lookup behind your back  
>>>> (and
>>>> getting info from a spoofed DNS).
>>> Well, since it gets the info on which servers to contact using DNS,
>>> why not get the info on what the real realm name is from the DNS???
>> Because if you are doing a kinit on machine home.dsl.net how is it to
>> know that you want a ticket from the WORK.COM realm?
> Because I say "kauth/kinit someone@work.com" ?

Hmmm.  I didn't keep your original post around.  I thought you were  
complaining about it not finding the realm when you *didn't* tell it  
the realm.  If you tell it the realm it should skip the TXT record  
lookup to find out the realm because you already told it.  It *should*  
still do a DNS lookup for the specific service you want (kpasswd,  
kadmin or normal auth), though the examples I've seen were Sun and MIT  
code.  (Presuming no entries in krb5.conf.)

> Given that there are no entries in files it will do DNS lookups in the
> work.com DNS-domain to find the kerberos server to talk to. Given that
> it's going to make the mapping to the kerberos servers, what's the
> fault in doing the lookup to make the mapping to the correct realm?
> Ie, the behaviour I find reasonable is
> * User wants a ticket for someone@realm
> * If realm isn't mentioned in config and DNS-queries are enabled, do
>   DNS lookup of real realm name

This point doesn't make sense to me.  The real realm is what you told  
it.  That's someone@realm, not someone@domain that you typed after all.  
  The only lookup is for where the kdc(s) for realm is(are), not what  
the realm is.

> * Ask user for the password (prompting the obtained realm name)
> * Proceed with lookups for kerberos servers as the current code (ie
>   from config or fallback to DNS).
> This way I can't see why it should hurt anyone that has realm mapping
> in their krb5.conf, and it should be less confusing for the occasional
> user...

Well, *I'm* confused.  ;-)

In the ideal world realm == domain so it's a non-issue.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu