[37987] in Kerberos
Re: Kerberos on Mac
daemon@ATHENA.MIT.EDU (Todd Grayson)
Mon May 15 13:42:46 2017
MIME-Version: 1.0
In-Reply-To: <c508046d-198b-7b57-2e04-f61c3ee36924@mit.edu>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Mon, 15 May 2017 11:42:03 -0600
Message-ID: <CALNT6MWVCK6Mdxx9DoM_bQoPcpxDjhG9UPaCPxuG-XAon0tpXQ@mail.gmail.com>
To: Matt Darwin <mattdarwin@gmail.com>
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I would work to get forward/reverse DNS consistent rather than attempting
to configure around this.
But for reference's sake, the JGSS catalogs its supported settings is here:
"Supported krb5.conf Settings"
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
rdns is not available, there is a "noaddresses" but that seems to be more
for NAT handling.
On Mon, May 15, 2017 at 10:56 AM, Greg Hudson <ghudson@mit.edu> wrote:
> On 05/15/2017 06:43 AM, Matt Darwin wrote:
> > So it looks like the client is sending
> >
> > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
> >
> > as the SnameString (presumably the SPN), when it should be sending:
> >
> > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
>
> I don't appear to have access to your DNS information from here. My
> guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
> result of a PTR query on the IP address of the server, while
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
> name.
>
> If I'm right about that, what you're looking for is a way to get the JVM
> Kerberos implementation to suppress the reverse DNS lookup when
> canonicalizing the server name. In MIT krb5, that would be accomplished
> with the "rdns" setting in krb5.conf; for details, see:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
>
> It's possible that the same setting might work for the Java
> implementation, but I'm not certain.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
