How to Force a Kerb 4 Request
Alexandra Ellwood
lxs at MIT.EDU
Wed Dec 1 02:28:47 EST 2004
On Nov 30, 2004, at 7:22 PM, Henry B. Hotz wrote:
> I just went back to a known-good krb5.conf from Jaguar; stripped out
> all the extraneous realm definitions; added the dns_fallback = no
> line; and retested. I can now get kerberos 4 tickets on Panther from
> an AFS kaserver. Obviously I missed something.
>
> I will note that the code *still* does a dns lookup.
>
>> 15:43:30.892937 IP dhcp-149-196-226.jpl.nasa.gov.60962 >
>> ns2.jpl.nasa.gov.domain: 37782+ SRV? _kerberos-iv._udp.JPL.NASA.GOV.
>> (48)
>
> I suppose it works because there is no Kerb 4 service record for
> Active Directory. I've had no end of testing trouble with AD
> hijacking my attempts to use test servers with the real domain/REALM
> names.
>
> Is there another fallback option that applies to Kerb 4? Can I put
> that option into a realm definition so I still do lookups for non-JPL
> realms?
No, sorry, this is a known bug. There is no way to turn off krb4 dns
requests at runtime.
However, this should not be a problem for your configuration since you
want to get v4 tickets -- it's normally only a problem if you are
trying to get only v5 tickets for a realm that has SRV records for both
v4 and v5.
--lxs
-----------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
Kerberos Development Team
MIT Information Services & Technology
<http://mit.edu/lxs/www>
-----------------------------------------------------------------------
More information about the Kerberos
mailing list