[30026] in Kerberos
Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Jos Backus)
Thu Jun 26 17:43:08 2008
Date: Thu, 26 Jun 2008 14:41:29 -0700
From: Jos Backus <jos@catnook.com>
To: kerberos@mit.edu
Message-ID: <20080626214129.GB76461@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Our setup employs two Kerberos realms, PROD.FOO.COM and DEV.FOO.COM under a
single DNS domain, foo.com. It would appear that dns_lookup_realm and the
addition of TXT RRs are supposed to handle this situation but it doesn't
appear to work.
Setup:
CentOS 5.1, krb5-1.6.1 RPMs.
kerberos1-dev.foo.com = master
kerberos2-dev.foo.com = slave, runs kpropd
DNS:
_kerberos.kerberos1-dev.foo.com IN TXT DEV.FOO.COM
_kerberos.kerberos2-dev.foo.com IN TXT DEV.FOO.COM
/etc/krb5.conf:
[libdefaults]
default_realm = DEV.FOO.COM
dns_lookup_realm = true
[realms]
DEV.FOO.COM = {
admin_server = kerberos1-dev.foo.com:749
}
PROD.FOO.COM = {
admin_server = kerberos1-prod.foo.com:749
}
[domain_realm]
.foo.com = PROD.FOO.COM
Running `kprop -f /var/kerberos/krb5kdc/slave_datatrans kerberos2-dev.foo.com' yields:
kprop: Client not found in Kerberos database while getting initial ticket
Adding
kerberos1-dev.foo.com = DEV.FOO.COM
to the domain_realm section makes kprop work. However, is is undesirable from
a maintenance point of view as a general fix.
strace'ing kprop reveals that it does not make any TXT DNS queries, which is
unexpected.
How is this supposed to work?
Thanks for any light you can shed on this mechanism.
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
