FQDN needed by sasl_gss_client_step or gss_import_name?

Lawrence Greenfield leg+ at andrew.cmu.edu
Thu May 16 21:04:00 EDT 2002


This is a known interoperability problem between MIT Kerberos and
Microsoft Kerberos (and other versions).

Microsoft Kerberos (correctly) does not use DNS to canonicalize.  DNS
is insecure and shouldn't be used for this purpose.  Unfortunately,
Kerberos implementations have a long history of using DNS to
canonicalize (and it's somewhat lamely codified in RFC 2743).

Hopefully the Kerberos clarifications in the krb-wg will address this
issue and MIT will change their implementation..  Until then, the best
you can do is "fix" your DNS.

Larry

   Date: Thu, 16 May 2002 16:40:47 -0700 (PDT)
   From: Dave Snoopy <kingsnoopy7 at yahoo.com>

   I am using OpenLDAP's ldapsearch tool, in conjunction
   with Cyrus SASL and MIT Kerberos 5. The tool allows me
   to do LDAP queries against a Microsoft PDC, assuming
   that I have first obtained the ticket from the
   Microsoft KDC. It works great, except for one
   problem...

   My DNS server has two entries for my PDC/KDC. The two
   entries are:
      gem-pdc.gem.company.com  -> 192.168.10.87
      gem-pdc  -> 192.168.10.87

   A reverse DNS lookup on the IP will return either of
   the host names.

   I guess that either SASL or Kerberos does a reverse
   DNS lookup based on the IP. When the non-FQDN host
   name is returned, my LDAP/SASL/Kerberos gives the
   following error:

    added plugin '/usr/lib/sasl/libgssapiv2.so'
    mech list from server is GSSAPI GSS-SPNEGO
    Considering mech GSSAPI
    Best mech so far: GSSAPI
    Considering mech GSS-SPNEGO
    sasl_gss_client_step: AUTHNEG
    Trying to get userid
    SASL/GSSAPI authentication started
    sasl_gss_client_step: AUTHNEG
    Trying to get userid
    Userid: -C
    name: ldap at gem-pdc
    ldap_sasl_interactive_bind_s: Local error

   I traced down the error to the Kerberos function
   "gss_import_name", which is being called from the SASL
   function sasl_gss_client_step. This problem only
   happens when the non FQDN kdc name is returned from
   DNS. Is this a Kerberos or SASL problem? Does anyone
   know how to resolve it (without changing my DNS)?

   Thanks,
   Dave


   __________________________________________________
   Do You Yahoo!?
   LAUNCH - Your Yahoo! Music Experience
   http://launch.yahoo.com




More information about the Kerberos mailing list