[36182] in Kerberos
Re: tickets with wrong DNS
daemon@ATHENA.MIT.EDU (Simo Sorce)
Sun Jun 8 14:21:27 2014
Message-ID: <1402251663.9430.43.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: steve <steve@steve-ss.com>
Date: Sun, 08 Jun 2014 14:21:03 -0400
In-Reply-To: <1402150433.3923.4.camel@hh16.hh3.site>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 2014-06-07 at 16:13 +0200, steve wrote:
> Hi
> We have a Samba4 domain with some Linux clients joined under DHCP. We
> are updating their DNS records via the nsupdate facility in SSSD. All is
> fine, but the worrying issue is that the machines still function even
> with the wrong rr registered in dns. Is this correct behaviour?
The KDC has no way of knowing if DNS is correct or wrong, nor would it
trust the DNS even if it were able to ask a sensible question out of it.
In any case I do not see why it would be a problem that AS requests work
when you own the correct key. If you have the correct key that is proof
you are who you claim to be regardless of what DNS may think.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
