How to Force a Kerb 4 Request

Alexandra Ellwood lxs at MIT.EDU
Wed Dec 1 02:28:47 EST 2004


On Nov 30, 2004, at 7:22 PM, Henry B. Hotz wrote:

> I just went back to a known-good krb5.conf from Jaguar;  stripped out 
> all the extraneous realm definitions;  added the dns_fallback = no 
> line; and retested.  I can now get kerberos 4 tickets on Panther from 
> an AFS kaserver.  Obviously I missed something.
>
> I will note that the code *still* does a dns lookup.
>
>> 15:43:30.892937 IP dhcp-149-196-226.jpl.nasa.gov.60962 > 
>> ns2.jpl.nasa.gov.domain:  37782+ SRV? _kerberos-iv._udp.JPL.NASA.GOV. 
>> (48)
>
> I suppose it works because there is no Kerb 4 service record for 
> Active Directory.  I've had no end of testing trouble with AD 
> hijacking my attempts to use test servers with the real domain/REALM 
> names.
>
> Is there another fallback option that applies to Kerb 4?  Can I put 
> that option into a realm definition so I still do lookups for non-JPL 
> realms?

No, sorry, this is a known bug.  There is no way to turn off krb4 dns 
requests at runtime.

However, this should not be a problem for your configuration since you 
want to get v4 tickets -- it's normally only a problem if you are 
trying to get only v5 tickets for a realm that has SRV records for both 
v4 and v5.


--lxs
-----------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
Kerberos Development Team
MIT Information Services & Technology
<http://mit.edu/lxs/www>
-----------------------------------------------------------------------



More information about the Kerberos mailing list