Reading kerberos-adm from DNS: when will MIT-krb support this?

Marcus Watts mdw at umich.edu
Mon Mar 12 01:11:32 EDT 2007 

cpkrb0703 at melvex.xs4all.nl writes:
> Date: Sun, 11 Mar 2007 22:24:44 +0100
> From: Bastian <cpkrb0703 at melvex.xs4all.nl>
> To: kerberos at mit.edu
> Subject: Reading kerberos-adm from DNS: when will MIT-krb support this?
> 
> Hi,
> 
> In the release notes I read that in the future, MIT kerberos will be 
> able to read the name of the administrative server from DNS (through 
> kerboros-adm). Does anyone know when this is going to be implemented?
> 
> MIT kerberos already implements the use of the other kerberos related 
> DNS records, but kerberos-adm still requires a local krb5.conf
> 
> Bastian

I believe the future has already arrived.  Current MIT code should
be capable of finding and using records like this:

	spam% dig _kerberos-adm._tcp.umich.edu srv

	; <<>> DiG 9.3.2-P1 <<>> _kerberos-adm._tcp.umich.edu srv
	;; global options:  printcmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29470
	;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

	;; QUESTION SECTION:
	;_kerberos-adm._tcp.umich.edu.  IN      SRV

	;; ANSWER SECTION:
	_kerberos-adm._tcp.umich.edu. 300 IN    SRV     0 0 749 fear.ifs.umich.edu.

	;; AUTHORITY SECTION:
	umich.edu.              19699   IN      NS      dns.cs.wisc.edu.
	umich.edu.              19699   IN      NS      dns.itd.umich.edu.
	umich.edu.              19699   IN      NS      dns2.itd.umich.edu.

	;; ADDITIONAL SECTION:
	fear.ifs.umich.edu.     2757    IN      A       141.211.1.32
	dns.cs.wisc.edu.        41792   IN      A       128.105.2.10
	dns.itd.umich.edu.      13      IN      A       141.211.144.15
	dns2.itd.umich.edu.     13      IN      A       141.211.125.15

	;; Query time: 5 msec
	;; SERVER: 141.211.1.36#53(141.211.1.36)
	;; WHEN: Mon Mar 12 01:02:15 2007
	;; MSG SIZE  rcvd: 215

	spam% 

Check out in the source krb5/src/lib/krb5/os/locate_kdc.c function
dns_locate_server for a complete list of dns names.  Note that _udp
vs. _tcp is service-dependent.

Interesting obscure factoid:
If your dns information lacks a _kerberos-master record (and you don't
have a krb5.conf that specifies a master_kdc for your realm), MIT library
code won't prompt to change the password for principals with expired passwords.

				-Marcus Watts

More information about the Kerberos mailing list