[36181] in Kerberos
Re: tickets with wrong DNS
daemon@ATHENA.MIT.EDU (Brandon Allbery)
Sat Jun 7 11:25:12 2014
From: Brandon Allbery <ballbery@sinenomine.net>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Sat, 7 Jun 2014 15:25:00 +0000
Message-ID: <1402154699.1597.8.camel@vikktakkht.oh3.sinenomine.net>
In-Reply-To: <1402153889.4202.10.camel@hh16.hh3.site>
Content-Language: en-US
Content-ID: <4FE6FAE6747AD14D873E32F654C350E6@mex05.mlsrvr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 2014-06-07 at 17:11 +0200, steve wrote:
> Here is a login on a client at 192.168.1.22. Change the IP and it still
> works fine, even though it's not registered in the DNS db (maintained
> via bind9) on the DC.
>
> Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for
> krbtgt/ALTEA.SITE@ALTEA.SITE
> Kerberos: Client sent patypes: 149
> Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
> Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
> $@ALTEA.SITE
It is indeed using the netbios name here, and DNS is not an issue. The
various DISCONNECTEDs don't look DNS-related; they look to me like it's
trying TCP first (normal for Windows DCs, since the Windows PAC is
usually too large for a UDP transaction) and falling back to UDP (normal
for traditional Kerberos). Depending on your configuration, you may want
to arrange for UDP to be tried first.
--
brandon s allbery kf8nh sine nomine associates
allbery.b@gmail.com ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
