[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd failed to lookup password server from DNS SRV

Hi Mike,

 > Do you have an A record for kerberos.bogus.example.com?
 >
 > In practice I don't recall seeing kpasswd actually use 
_kpasswd._udp.REALM
 > to lookup the kpasswd server. It just uses the kdc according to the
 > krb5.conf. And if that's not set it will try _kerberos._udp.REALM.
 >
 > Is there a firewall in the way?
 >
 > The quickest way to find out what's going on is to get a capture.
 >
 > Mike

Yes, I did add DNS A record kerberos.bogus.example.com. There is no 
firewall in between :-

; <<>> DiG 9.3.2 <<>> kerberos.bogus.example.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23139
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;kerberos.bogus.example.com.    IN    A

;; ANSWER SECTION:
kerberos.bogus.example.com. 53960 IN    CNAME    zeta.example.com.
zeta.example.com.    53960    IN    A    210.17.184.72

;; Query time: 2 msec
;; SERVER: 210.17.184.65#53(210.17.184.65)
;; WHEN: Sun Jun 15 09:59:16 2008
;; MSG SIZE  rcvd: 78


I also tried to change password on the KDC by using kpasswd, and it also 
failed. The KDC log follows :-

2008-06-15T00:54:19 label: default
2008-06-15T00:54:19     dbname: /var/heimdal/heimdal
2008-06-15T00:54:19     mkey_file: /var/heimdal/m-key
2008-06-15T00:54:19     acl_file: /var/heimdal/kadmind.acl
2008-06-15T00:54:19 listening on IPv6:::1 port 88/udp
2008-06-15T00:54:19 listening on IPv6:::1 port 88/tcp
2008-06-15T00:54:19 listening on IPv4:127.0.0.1 port 88/udp
2008-06-15T00:54:19 listening on IPv4:210.17.184.72 port 88/udp
2008-06-15T00:54:19 listening on IPv4:127.0.0.1 port 88/tcp
2008-06-15T00:54:19 listening on IPv4:210.17.184.72 port 88/tcp
2008-06-15T00:54:19 KDC started
2008-06-15T09:49:08 AS-REQ jmok/admin@BOGUS.EXAMPLE.COM from 
IPv4:210.17.184.72 for kadmin/changepw@BOGUS.EXAMPLE.COM
2008-06-15T09:49:08 No preauth found, returning PREAUTH-REQUIRED -- 
jmok/admin@BOGUS.EXAMPLE.COM
2008-06-15T09:49:08 sending 477 bytes to IPv4:210.17.184.72
2008-06-15T09:49:08 AS-REQ jmok/admin@BOGUS.EXAMPLE.COM from 
IPv4:210.17.184.72 for kadmin/changepw@BOGUS.EXAMPLE.COM
2008-06-15T09:49:08 Client sent patypes: encrypted-timestamp
2008-06-15T09:49:08 Looking for PKINIT pa-data -- 
jmok/admin@BOGUS.EXAMPLE.COM
2008-06-15T09:49:08 Looking for ENC-TS pa-data -- 
jmok/admin@BOGUS.EXAMPLE.COM
2008-06-15T09:49:08 ENC-TS Pre-authentication succeeded -- 
jmok/admin@BOGUS.EXAMPLE.COM using aes256-cts-hmac-sha1-96
2008-06-15T09:49:08 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc
2008-06-15T09:49:08 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2008-06-15T09:49:08 AS-REQ authtime: 2008-06-15T09:49:08 starttime: 
unset endtime: 2008-06-15T09:54:08 renew till: unset
2008-06-15T09:49:08 sending 678 bytes to IPv4:210.17.184.72

Thanks a lot.

John Mok