[37985] in Kerberos
Re: Kerberos on Mac
daemon@ATHENA.MIT.EDU (Matt Darwin)
Mon May 15 06:44:07 2017
MIME-Version: 1.0
In-Reply-To: <dd774384-fec5-22fb-1d1b-bf11937f395f@mit.edu>
From: Matt Darwin <mattdarwin@gmail.com>
Date: Mon, 15 May 2017 11:43:45 +0100
Message-ID: <CA+tVW=w90+3bQvWQMe4NkYYnU-c4tXC5Fe1PvmK-O_rgfHFAKw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Glenn, Greg,
Thanks for your input.
I’ve now done some debugging with Wireshark and found what I believe to be
the smoking gun:
So it looks like the client is sending
oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
as the SnameString (presumably the SPN), when it should be sending:
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
I’ve updated the ticket with the details:
http://stackoverflow.com/questions/43685086
So question is, how do I persuade the JVM built-in kerberos client to
change the way it looks up server hosts? Or is there genuinely a DNS
change required?
Bear in mind I have the following /etc/hosts entry:
10.252.134.51 d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
Thanks,
Matt
On 12 May 2017 at 16:40, Greg Hudson <ghudson@mit.edu> wrote:
> On 05/12/2017 11:28 AM, Matt Darwin wrote:
> > I’ve written a detailed description of the problem on stack overflow :
> http://stackoverflow.com/questions/43685086/
>
> I read this, and I don't see in there the server principal name in the
> TGS request on macOS and on Linux. You might be able to obtain that
> with wireshark or similar if you can't get it out of the JVM. That
> information, together with knowledge of your DNS configuration, might
> provide a hint as to what's going on.
>
> Note that the JVM has its own Kerberos implementation, which is separate
> from MIT krb5, Heimdal, or the macOS fork of Heimdal. (I believe it's
> possible to use a shim to force it to call out to the C library, but
> from the stack trace it doesn't appear that you're doing that.) So the
> output you're getting from krb5-config --version is irrelevant, as is
> using brew to install a newer C library.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos