[37986] in Kerberos
Re: Kerberos on Mac
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 15 12:57:10 2017
To: Matt Darwin <mattdarwin@gmail.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c508046d-198b-7b57-2e04-f61c3ee36924@mit.edu>
Date: Mon, 15 May 2017 12:56:52 -0400
MIME-Version: 1.0
In-Reply-To: <CA+tVW=w90+3bQvWQMe4NkYYnU-c4tXC5Fe1PvmK-O_rgfHFAKw@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/15/2017 06:43 AM, Matt Darwin wrote:
> So it looks like the client is sending
>
> oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
>
> as the SnameString (presumably the SPN), when it should be sending:
>
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
I don't appear to have access to your DNS information from here. My
guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
result of a PTR query on the IP address of the server, while
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
name.
If I'm right about that, what you're looking for is a way to get the JVM
Kerberos implementation to suppress the reverse DNS lookup when
canonicalizing the server name. In MIT krb5, that would be accomplished
with the "rdns" setting in krb5.conf; for details, see:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
It's possible that the same setting might work for the Java
implementation, but I'm not certain.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
