Question about dns_lookup_realm and domain_realm
Jeffrey Altman
jaltman at secure-endpoints.com
Fri Jun 27 01:57:37 EDT 2008
Jos Backus wrote:
> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
>> This behavior was most likely broken when the referrals code was added.
>
> So it's a regression. Until this is fixed properly (which I don't claim my
> patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong
> with the patch as such?
There are several issues here. First, DNS TXT records are known to be
insecure. Turning
them on for use in realm resolution provides for convenience but at the
risk that your clients
can be redirected to a realm that you do not control.
Second, any domain_realm mapping for your domain .foo.com is going to
override the use
of DNS lookups. That is because local configuration data is considered
to be trustworthy
whereas DNS lookups are not.
In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your
hosts are
in one and some are in the other. By default you want PROD.FOO.COM to
be used.
However, for specific hosts you want DEV.FOO.COM. Using the config
file you would
specify
[domain_realm]
devhost1.foo.com = DEV.FOO.COM
.foo.com = PROD.FOO.COM
If you want to rely on DNS TXT records you have to make sure that there
are no mappings
in the config file. Then you would create records for
_kerberos.devhost1.foo.com IN TXT DEV.FOO.COM
_kerberos.foo.com IN TXT PROD.FOO.COM
Because DNS TXT records are insecure and there is a need to be able to
provide for centralized
configuration data Microsoft created the Kerberos referrals mechanism.
Using referrals a client
asks the KDC belonging to the TGT realm for a referral to the correct
realm for the desired
service principal. Referrals are used whenever there is not a local
[domain_realm] mapping.
The safe way to add DNS TXT records back into the equation would be to
add the DNS TXT
lookup after the referrals request fails.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/5295dd8e/attachment.bin
More information about the Kerberos
mailing list