Reading kerberos-adm from DNS: when will MIT-krb support this?
Bastian
cpkrb0703 at melvex.xs4all.nl
Mon Mar 12 15:35:57 EDT 2007
Marcus Watts schreef:
> cpkrb0703 at melvex.xs4all.nl writes:
>
>> Date: Sun, 11 Mar 2007 22:24:44 +0100
>> From: Bastian <cpkrb0703 at melvex.xs4all.nl>
>> To: kerberos at mit.edu
>> Subject: Reading kerberos-adm from DNS: when will MIT-krb support this?
>>
>> Hi,
>>
>> In the release notes I read that in the future, MIT kerberos will be
>> able to read the name of the administrative server from DNS (through
>> kerboros-adm). Does anyone know when this is going to be implemented?
>>
>> MIT kerberos already implements the use of the other kerberos related
>> DNS records, but kerberos-adm still requires a local krb5.conf
>>
>> Bastian
>>
>
> I believe the future has already arrived. Current MIT code should
> be capable of finding and using records like this:
>
> spam% dig _kerberos-adm._tcp.umich.edu srv
...
> ;; QUESTION SECTION:
> ;_kerberos-adm._tcp.umich.edu. IN SRV
>
> ;; ANSWER SECTION:
> _kerberos-adm._tcp.umich.edu. 300 IN SRV 0 0 749 fear.ifs.umich.edu.
>
> ;; AUTHORITY SECTION:
>
...
> Check out in the source krb5/src/lib/krb5/os/locate_kdc.c function
> dns_locate_server for a complete list of dns names. Note that _udp
> vs. _tcp is service-dependent.
>
> Interesting obscure factoid:
> If your dns information lacks a _kerberos-master record (and you don't
> have a krb5.conf that specifies a master_kdc for your realm), MIT library
> code won't prompt to change the password for principals with expired passwords.
>
> -Marcus Watts
>
In that case, I may have another problem, because my output from DNS is
like this, but the client can not run kadmin without admin_server in
/etc/krb5.conf
Some output from dig:
$ dig _kerberos-adm._tcp.mydomain.com srv
; <<>> DiG 9.3.2 <<>> _kerberos-adm._tcp.mydomain.com srv
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51690
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_kerberos-adm._tcp.mydomain.com. IN SRV
;; ANSWER SECTION:
_kerberos-adm._tcp.mydomain.com. 3600 IN SRV 0 0 749
kerberos.mydomain.com.
....
Some pieces of /etc/krb5.conf on the client
[libdefaults]
default_realm = MYDOMAIN.COM.
...
dns_lookup_realm = true
dns_lookup_kdc = true
...
[realms]
MYDOMAIN.COM = {
# admin_server = kerberos
}
If I enable admin_server, I can run kadmin, if I comment it out, like
above, kadmin aborts with the message
Authenticating as principal root/admin at MYDOMAIN.COM with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while
initializing kadmin interface
(however, I *can* change the password with kpasswd)
Bastian
More information about the Kerberos
mailing list