[38148] in Kerberos
RE: FW: Kerberos question/bug
daemon@ATHENA.MIT.EDU (William HARDY)
Fri Dec 29 10:39:44 2017
Message-ID: <0WU860Z18YRAX6-01@mg01001.pictet.com>
From: "William HARDY" <whardy@pictet.com>
To: "Greg Hudson" <ghudson@mit.edu>, "'kerberos@mit.edu'" <kerberos@mit.edu>
Date: Fri, 29 Dec 2017 07:38:37 +0000
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1208659283413113176=="
Errors-To: kerberos-bounces@mit.edu
--===============1208659283413113176==
Content-Language: en-US
Content-Type: multipart/related;
boundary=_004_ca01aac6e8504c1ba6064bc9d6ce82c5PMSEX01002pcopictetcom_;
type="multipart/alternative"
--_004_ca01aac6e8504c1ba6064bc9d6ce82c5PMSEX01002pcopictetcom_
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hi Greg,
Many thanks for taking the time to answer my question.
The reason I ask is because we have a case where two different browsers set=
different names in the "KerberosString" / server host field. One sets the =
actual FQDN corresponding to the Host A record of the server. The other use=
s a CNAME associated to the Host A record, the behavior seems quite random.=
If I understand your email, the RFC 4120 does not specify what needs to be=
placed in here (Host A, CNAME etc...), it is up to the browser editor to d=
ecide what is placed into this field, right?
[cid:image001.png@01D3807F.2B376950]
Thanks,
William
-----Original Message-----
From: Greg Hudson [mailto:ghudson@mit.edu]
Sent: jeudi 28 d=E9cembre 2017 20:44
To: William HARDY <whardy@pictet.com>; 'kerberos@mit.edu' <kerberos@mit.edu=
>
Subject: Re: FW: Kerberos question/bug
On 12/28/2017 02:18 AM, William HARDY wrote:
> What is supposed to be in the TGS-REQ
> (Kerberos->tgs-req->req-body->sname->name-string->KerberosString: ? )
sname contains the server principal name. RFC 4120 describes the protocol =
in detail.
> It seems that from the same machine (resolving on the same DNS servers), =
the contents of this field differs in a Wireshark capture depending on the =
application used event though the destination server is the same. What is s=
upposed to be in "KerberosString" field ? What determines the content of th=
is field ?
It is common for server principal names to have two components (two Kerbero=
sStrings in the name-string sequence), where the first names the applicatio=
n protocol and the second names the server host. So the first component mi=
ght be "host" (typically for ssh) or "ldap" or "HTTP", and the second is th=
e FQDN of the server host.
=20
This message is not intended for persons who are citizens of, domiciled or =
resident in, or entities registered in a country or a jurisdiction in which=
its distribution, publication, provision or use would violate current laws=
and regulations. <br> <br>The content of this message is confidential and =
can only be read and/or used by its addressee. The Pictet Group is not liab=
le for the use, transmission or exploitation of the content of this message=
. Therefore, any form of reproduction, copying, disclosure, modification an=
d/or publication of the content is under the sole liability of the addresse=
e of this message, and no liability whatsoever will be incurred by the Pict=
et Group. The addressee of this document agrees to comply with the applicab=
le laws and regulations in the jurisdictions where they use the information=
reproduced in this document.<br>If you have received this e-mail message i=
n error, please destroy it and delete it from your computer.<br>
--_004_ca01aac6e8504c1ba6064bc9d6ce82c5PMSEX01002pcopictetcom_--
--===============1208659283413113176==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1208659283413113176==--