Question about dns_lookup_realm and domain_realm

Jeffrey Altman jaltman at secure-endpoints.com
Fri Jun 27 01:57:37 EDT 2008


Jos Backus wrote:
> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
>> This behavior was most likely broken when the referrals code was added. 
>
> So it's a regression. Until this is fixed properly (which I don't claim my
> patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong
> with the patch as such?
There are several issues here.  First, DNS TXT records are known to be 
insecure.  Turning
them on for use in realm resolution provides for convenience but at the 
risk that your clients
can be redirected to a realm that you do not control.

Second, any domain_realm mapping for your domain .foo.com is going to 
override the use
of DNS lookups.  That is because local configuration data is considered 
to be trustworthy
whereas DNS lookups are not.

In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your 
hosts are
in one and some are in the other.   By default you want PROD.FOO.COM to 
be used.
However, for specific hosts you want DEV.FOO.COM.    Using the config 
file you would
specify

[domain_realm]
  devhost1.foo.com = DEV.FOO.COM
  .foo.com = PROD.FOO.COM

If you want to rely on DNS TXT records you have to make sure that there 
are no mappings
in the config file.  Then you would create records for

  _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM
  _kerberos.foo.com IN TXT PROD.FOO.COM

Because DNS TXT records are insecure and there is a need to be able to 
provide for centralized
configuration data Microsoft created the Kerberos referrals mechanism.  
Using referrals a client
asks the KDC belonging to the TGT realm for a referral to the correct 
realm for the desired
service principal.  Referrals are used whenever there is not a local 
[domain_realm] mapping.

The safe way to add DNS TXT records back into the equation would be to 
add the DNS TXT
lookup after the referrals request fails.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/5295dd8e/attachment.bin


More information about the Kerberos mailing list