[36180] in Kerberos
Re: tickets with wrong DNS
daemon@ATHENA.MIT.EDU (steve)
Sat Jun 7 11:11:50 2014
Message-ID: <1402153889.4202.10.camel@hh16.hh3.site>
From: steve <steve@steve-ss.com>
To: kerberos@mit.edu
Date: Sat, 07 Jun 2014 17:11:29 +0200
In-Reply-To: <1402151504.1597.3.camel@vikktakkht.oh3.sinenomine.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 2014-06-07 at 14:31 +0000, Brandon Allbery wrote:
> On Sat, 2014-06-07 at 16:13 +0200, steve wrote:
> > We have a Samba4 domain with some Linux clients joined under DHCP. We
> > are updating their DNS records via the nsupdate facility in SSSD. All is
> > fine, but the worrying issue is that the machines still function even
> > with the wrong rr registered in dns. Is this correct behaviour?
>
> Nowhere near enough information to even guess... but Windows domains
> (and therefore samba4) tend to use Kerberos principals based on the
> netbios name instead of DNS name, so it's not unlikely. As to the more
> unixy stuff, if the machine(s) in question aren't servers, they likely
> don't care much about their DNS entries; the only common service that
> does is the MTA (sendmail/postfix/etc.), and these days it's rare for
> clients to run their own MTAs in anything but local queueing mode where
> a hosts file entry is generally good enough.
>
Thanks.
The client have a keytab:
host/fqdn@REALM
host/hostname@REALM
HOSTNAME$@REALM
and a krb5.conf:
[libdefaults]
default_realm = ALTEA.SITE
dns_lookup_realm = false
dns_lookup_kdc = true
Maybe that's all that is required.
My point is that if it doesn't matter, we can simplify the Linux client
set-ups quite a bit because we can lose the signed nsupdate stuff.
Here is a login on a client at 192.168.1.22. Change the IP and it still
works fine, even though it's not registered in the DNS db (maintained
via bind9) on the DC.
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for
krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
$@ALTEA.SITE
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:34322 for
krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:15 starttime: unset endtime:
2014-06-08T02:59:15 renew till: 2014-06-08T16:59:14
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49450 for
ldap/palmera.altea.site@ALTEA.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2014-06-07T16:59:15 starttime:
2014-06-07T16:59:15 endtime: 2014-06-08T02:59:15 renew till:
2014-06-08T16:59:14
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:53422 for
krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
$@ALTEA.SITE
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:52224 for
krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:21 starttime: unset endtime:
2014-06-08T02:59:21 renew till: 2014-06-08T16:59:20
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49452 for
ldap/palmera.altea.site@ALTEA.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2014-06-07T16:59:21 starttime:
2014-06-07T16:59:21 endtime: 2014-06-08T02:59:21 renew till:
2014-06-08T16:59:20
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ stevep\@ALTEA.SITE@ALTEA.SITE from
ipv4:192.168.1.22:59583 for krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- stevep
\@ALTEA.SITE@ALTEA.SITE
Kerberos: AS-REQ stevep\@ALTEA.SITE@ALTEA.SITE from
ipv4:192.168.1.22:49539 for krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- stevep
\@ALTEA.SITE@ALTEA.SITE using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime:
2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize
Kerberos: AS-REQ stevep\@ALTEA.SITE@ALTEA.SITE from
ipv4:192.168.1.22:49453 for krbtgt/ALTEA.SITE@ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- stevep
\@ALTEA.SITE@ALTEA.SITE using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime:
2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
