[30443] in Kerberos
Re: kinit ignores kdc in config file on Mac 10.5
daemon@ATHENA.MIT.EDU (petesea@bigfoot.com)
Thu Nov 13 12:49:15 2008
Date: Thu, 13 Nov 2008 09:47:38 -0800 (PST)
From: petesea@bigfoot.com
In-reply-to: <ldvy6zntx2y.fsf@cathode-dark-space.mit.edu>
To: Tom Yu <tlyu@mit.edu>
Message-id: <alpine.OSX.1.10.0811130908140.11904@zippy-air>
MIME-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 13 Nov 2008, Tom Yu wrote:
> petesea@bigfoot.com writes:
>
>> I have a user with a Mac 10.5 system and it SEEMS like kinit is
>> ignoring the kdc entries in the config file. Instead it APPEARS to do
>> a DNS query for the realm and then uses the A records returned and
>> sends the kerberos
>
> Does it look up the A record for the realm name, instead of looking up
> the SRV record for the realm name?
Yes... A, not SRV. Oddly, the exact case of the realm it queries is
mixed, eg: COMPANY.com, instead of COMPANY.COM. The config file only
uses all uppercase for the realm name and all lowercase for the domain
name in the [domain_realm] section, it never uses mixed case.
I started tcpdump restricting the capture filter to only ports 88
(Kerberos) and 53 (DNS), then ran kinit. The tcpdump capture shows:
- A query for an A record for the realm name by the client
- A response from the DNS server with 4 IP addresses
- An "AS-REQ" from the client to the 1st IP address
- After 1 sec an "AS-REQ" from the client to the 2nd IP address
- After 1 sec an "AS-REQ" from the client to the 3rd IP address
- After 1 sec an "AS-REQ" from the client to the 4th IP address
- After 7 secs a 2nd "AS-REQ" from the client to the 1st IP address
- After 1 sec a 2nd "AS-REQ" from the client to the 2nd IP address
- After 1 sec a 2nd "AS-REQ" from the client to the 4th IP address
- After 5 secs a 3rd "AS-REQ" from the client to the 1st IP address
- After 1 sec a 3rd "AS-REQ" from the client to the 2nd IP address
- After 1 sec a 3rd "AS-REQ" from the client to the 4th IP address
There is no response to any of the AS-REQ packets. At this point the
kinit command fails with:
Kerberos Login Failed: Cannot contact any KDC for requested realm
> Which config files are you changing? There are several that could
> affect the result.
~/Library/Preferences/edu.mit.Kerberos. I added the following lines to
the "[libdefaults]" section:
dns_lookup_kdc = false
dns_lookup_realm = false
dns_fallback = false
I've also made sure all of the following do NOT exist:
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.conf
/usr/etc/krb5.conf
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
