[26965] in Athena Bugs
krb5.conf
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Sep 18 18:25:04 2006
To: bugs@mit.edu
From: Ken Raeburn <raeburn@mit.edu>
Date: Mon, 18 Sep 2006 18:24:51 -0400
Message-ID: <tx1irjkstho.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 1.321
X-Spam-Level: * (1.321)
X-Spam-Flag: NO
Errors-To: bugs-bounces@mit.edu
I thought I'd mentioned this before, but maybe not.
If we're going to have hostnames for our KDCs listed in krb5.conf, we
should have a "." at the end of the names.
At least on Athena Linux, the BIND library appears to use the domain
search path when an AAAA query indicates that there's data for a given
name, but not an AAAA record. So it asks for kerberos.mit.edu.mit.edu
etc.
send(3, "~u\1\0\0\1\0\0\0\0\0\0\10kerberos\3mit\3edu\0\0\34\0\1", 34, MSG_NOSIGNAL) = 34
send(3, "\265\361\1\0\0\1\0\0\0\0\0\0\10kerberos\3mit\3edu\3MIT\3EDU\0\0\34\0\1", 42, MSG_NOSIGNAL) = 42
send(3, "<)\1\0\0\1\0\0\0\0\0\0\10kerberos\3mit\3edu\0\0\1\0\1", 34, MSG_NOSIGNAL) = 34
(That's an AAAA query for kerberos.mit.edu, an AAAA query for
kerberos.mit.edu.mit.edu, and an A query for kerberos.mit.edu.)
We could also probably do away with the names in the config file, as
the network folks are advertising the addresses where modern Kerberos
libraries should find them:
_kerberos._udp.athena.mit.edu. 21600 IN SRV 0 0 88 KERBEROS.MIT.EDU.
_kerberos._udp.athena.mit.edu. 21600 IN SRV 0 0 88 KERBEROS-1.MIT.EDU.
_kerberos._udp.athena.mit.edu. 21600 IN SRV 0 0 88 KERBEROS-2.MIT.EDU.
And I'm pretty sure we can get rid of this one:
CYGNUS.COM = {
kdc = KERBEROS.CYGNUS.COM
kdc = KERBEROS-1.CYGNUS.COM
admin_server = KERBEROS.CYGNUS.COM
}
Ken
