[39335] in Kerberos
Re: kinit without dns
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Wed Jan 24 15:34:38 2024
Message-Id: <202401242034.40OKYMTT023485@hedwig.cmf.nrl.navy.mil>
To: Michael B Allen <ioplex@gmail.com>
cc: kerberos <kerberos@mit.edu>
In-Reply-To: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
MIME-Version: 1.0
Date: Wed, 24 Jan 2024 15:34:22 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
You MIGHT be better served by turning on Kerberos tracing to see what the
library is doing. Prefixing that kinit with:
env KRB5_TRACE=/dev/stdout
would be useful. However, assuming these are in order ...
>Protocol Length Info
>DNS 80 Standard query 0xd8af A dc1.gogo.loco
>DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
>KRB5 221 AS-REQ
>KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
This looks like the basic exchange with the KDC did not do any DNS lookups
(other than the hostname).
>DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
>DNS 154 Standard query response 0x314d No such name URI
>_kerberos.GOGO.LOCO SOA a.root-servers.net
>DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
>DNS 166 Standard query response 0xfc89 No such name SRV
>_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
This looks like it is trying to find the name of the primary KDC. You could
put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
believe it would suppress these lookups (the preferred relation name was
changed to "primary_kdc" in 1.19 but it is still supposed to fall back
to the older name). I think that should get rid of all of the lookups
I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary
KDC).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
