[30839] in Kerberos
Re: Authenticating using lower case domain/realm
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Mar 9 13:55:24 2009
From: Ken Raeburn <raeburn@MIT.EDU>
To: Santos <sansancasd@gmail.com>
In-Reply-To: <d2912e600903090923q2e9e2a5ch51ac522c2dd87b99@mail.gmail.com>
Message-Id: <8A15E4BE-E964-4705-91D2-EBA4648386D7@mit.edu>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Mon, 9 Mar 2009 13:53:39 -0400
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Mar 9, 2009, at 12:23, Santos wrote:
> BTW, dns_lookup_realm doesn't seen to work. It could help my case, if
> kerberos queried the NS for TXT records in which i could specify the
> realm
> in upper case.
>
> I sniffed the DNS queries but no TXT queries. Any idea why?
The TXT records are used for mapping host names to realm names, and
are only looked up if the domain_realm section of the config file
doesn't list the host or domain name. If you supply a realm name on
the command line (or wherever), then TXT records won't be looked up at
all.
(In particular, we don't use TXT records to map the realm name to
itself and figure out the capitalization, if that's what you were
expecting. It might be a heuristic to try, but it's certainly
possible for there to be a host with a name matching a realm, and for
that host to be in a different realm, or for there to be a wildcard
record pointing to another realm....)
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
