Reading kerberos-adm from DNS: when will MIT-krb support this?

Bastian cpkrb0703 at melvex.xs4all.nl
Mon Mar 12 15:35:57 EDT 2007


Marcus Watts schreef:
> cpkrb0703 at melvex.xs4all.nl writes:
>   
>> Date: Sun, 11 Mar 2007 22:24:44 +0100
>> From: Bastian <cpkrb0703 at melvex.xs4all.nl>
>> To: kerberos at mit.edu
>> Subject: Reading kerberos-adm from DNS: when will MIT-krb support this?
>>
>> Hi,
>>
>> In the release notes I read that in the future, MIT kerberos will be 
>> able to read the name of the administrative server from DNS (through 
>> kerboros-adm). Does anyone know when this is going to be implemented?
>>
>> MIT kerberos already implements the use of the other kerberos related 
>> DNS records, but kerberos-adm still requires a local krb5.conf
>>
>> Bastian
>>     
>
> I believe the future has already arrived.  Current MIT code should
> be capable of finding and using records like this:
>
> 	spam% dig _kerberos-adm._tcp.umich.edu srv
...
> 	;; QUESTION SECTION:
> 	;_kerberos-adm._tcp.umich.edu.  IN      SRV
>
> 	;; ANSWER SECTION:
> 	_kerberos-adm._tcp.umich.edu. 300 IN    SRV     0 0 749 fear.ifs.umich.edu.
>
> 	;; AUTHORITY SECTION:
>   
...

> Check out in the source krb5/src/lib/krb5/os/locate_kdc.c function
> dns_locate_server for a complete list of dns names.  Note that _udp
> vs. _tcp is service-dependent.
>
> Interesting obscure factoid:
> If your dns information lacks a _kerberos-master record (and you don't
> have a krb5.conf that specifies a master_kdc for your realm), MIT library
> code won't prompt to change the password for principals with expired passwords.
>
> 				-Marcus Watts
>   

In that case, I may have another problem, because my output from DNS is 
like this, but the client can not run kadmin without admin_server in 
/etc/krb5.conf

Some output from dig:

$ dig _kerberos-adm._tcp.mydomain.com srv

; <<>> DiG 9.3.2 <<>> _kerberos-adm._tcp.mydomain.com srv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51690
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_kerberos-adm._tcp.mydomain.com.    IN    SRV

;; ANSWER SECTION:
_kerberos-adm._tcp.mydomain.com.    3600 IN    SRV    0 0 749 
kerberos.mydomain.com.

....

Some pieces of /etc/krb5.conf on the client

[libdefaults]
    default_realm = MYDOMAIN.COM.
    ...
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ...

[realms]
   MYDOMAIN.COM = {

    # admin_server = kerberos
    }


If I enable admin_server, I can run kadmin, if I comment it out, like 
above, kadmin aborts with the message

Authenticating as principal root/admin at MYDOMAIN.COM with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while 
initializing kadmin interface

(however, I *can* change the password with kpasswd)

Bastian



More information about the Kerberos mailing list