[30032] in Kerberos
Re: Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Jos Backus)
Fri Jun 27 02:30:31 2008
Date: Thu, 26 Jun 2008 23:29:33 -0700
From: Jos Backus <jos@catnook.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>
Message-ID: <20080627062933.GA12491@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <48648151.50403@secure-endpoints.com>
Cc: kerberos@mit.edu
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote:
> There are several issues here. First, DNS TXT records are known to be
> insecure. Turning
> them on for use in realm resolution provides for convenience but at the
> risk that your clients
> can be redirected to a realm that you do not control.
Understood.
> Second, any domain_realm mapping for your domain .foo.com is going to
> override the use
> of DNS lookups. That is because local configuration data is considered
> to be trustworthy
> whereas DNS lookups are not.
That's something my patch changes as it performs the DNS lookup first (when
configured).
> In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your
> hosts are
> in one and some are in the other. By default you want PROD.FOO.COM to
> be used.
> However, for specific hosts you want DEV.FOO.COM. Using the config
> file you would
> specify
>
> [domain_realm]
> devhost1.foo.com = DEV.FOO.COM
> .foo.com = PROD.FOO.COM
Yup, tried that, works, but doesn't scale well.
> If you want to rely on DNS TXT records you have to make sure that there
> are no mappings
> in the config file. Then you would create records for
>
> _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM
> _kerberos.foo.com IN TXT PROD.FOO.COM
Okay. We have the former (obviously) but not the latter. I can add that.
> Because DNS TXT records are insecure and there is a need to be able to
> provide for centralized
> configuration data Microsoft created the Kerberos referrals mechanism.
> Using referrals a client
> asks the KDC belonging to the TGT realm for a referral to the correct
> realm for the desired
> service principal. Referrals are used whenever there is not a local
> [domain_realm] mapping.
So this implies two-way trust and communication, yes? I wonder if this will
require network/ACL changes.
> The safe way to add DNS TXT records back into the equation would be to
> add the DNS TXT
> lookup after the referrals request fails.
ISTR that's where krb5_get_fallback_host_realm() is called, from a comment in
the code. Now it's clear why although I still don't quite grok the referral
mechanism. Time to study the documentation.
Thanks for the critique and helpful information, Jeffrey.
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
