[32792] in Kerberos
Re: What are the issues with dns_lookup_realm ?
daemon@ATHENA.MIT.EDU (Brian Candler)
Mon Oct 11 11:06:11 2010
Date: Mon, 11 Oct 2010 16:05:59 +0100
From: Brian Candler <B.Candler@pobox.com>
To: kerberos@mit.edu
Message-ID: <20101011150559.GA5691@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20101004211137.GA7523@talktalkplc.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote:
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its KDC?
> There's no KDC to KDC traffic? I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
>
> NAT>
> +-+
> client ----------------> | | ----------------> server
> | |
> | |
> KDC for | | KDC for
> FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM
> +-+
For the benefit of the list, I have set this up and it seems to work fine. I
am using vmware server. Getting the above scenario to work just involved
changing client and kdc.foo.example.com to a 'NAT' interface while
kdc.bar.example.com has a 'bridged' interface with its own IP.
* On client, do 'kinit' (gets ticket for candlerb@FOO.EXAMPLE.COM)
* On client, ssh to kdc.bar.example.com
* Cross-realm authentication works fine
I did some tcpdump testing.
When I do initial kinit: I see an exchange from client to kdc.foo only.
When I initiate ssh connection: apart from port 22 traffic I see
* kerberos exchange from client to kdc.foo
* reverse dns lookup on kdc.bar [probably sshd / tcp_wrappers]
* kerberos exchange from client to kdc.bar
kdc.bar doesn't have any /etc/hosts entry for the NAT external IP, so
doesn't seem to need it.
Regards,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
