kinit ignores kdc in config file on Mac 10.5

petesea@bigfoot.com petesea at bigfoot.com
Thu Nov 13 12:47:38 EST 2008 

On Thu, 13 Nov 2008, Tom Yu wrote:

> petesea at bigfoot.com writes:
>
>> I have a user with a Mac 10.5 system and it SEEMS like kinit is 
>> ignoring the kdc entries in the config file.  Instead it APPEARS to do 
>> a DNS query for the realm and then uses the A records returned and 
>> sends the kerberos
>
> Does it look up the A record for the realm name, instead of looking up 
> the SRV record for the realm name?

Yes... A, not SRV.  Oddly, the exact case of the realm it queries is 
mixed, eg:  COMPANY.com, instead of COMPANY.COM.  The config file only 
uses all uppercase for the realm name and all lowercase for the domain 
name in the [domain_realm] section, it never uses mixed case.

I started tcpdump restricting the capture filter to only ports 88 
(Kerberos) and 53 (DNS), then ran kinit.  The tcpdump capture shows:

   - A query for an A record for the realm name by the client
   - A response from the DNS server with 4 IP addresses
   - An "AS-REQ" from the client to the 1st IP address
   - After 1 sec an "AS-REQ" from the client to the 2nd IP address
   - After 1 sec an "AS-REQ" from the client to the 3rd IP address
   - After 1 sec an "AS-REQ" from the client to the 4th IP address
   - After 7 secs a 2nd "AS-REQ" from the client to the 1st IP address
   - After 1 sec a 2nd "AS-REQ" from the client to the 2nd IP address
   - After 1 sec a 2nd "AS-REQ" from the client to the 4th IP address
   - After 5 secs a 3rd "AS-REQ" from the client to the 1st IP address
   - After 1 sec a 3rd "AS-REQ" from the client to the 2nd IP address
   - After 1 sec a 3rd "AS-REQ" from the client to the 4th IP address

There is no response to any of the AS-REQ packets.  At this point the 
kinit command fails with:

   Kerberos Login Failed: Cannot contact any KDC for requested realm

> Which config files are you changing?  There are several that could
> affect the result.

~/Library/Preferences/edu.mit.Kerberos.  I added the following lines to 
the "[libdefaults]" section:

   dns_lookup_kdc = false
   dns_lookup_realm = false
   dns_fallback = false

I've also made sure all of the following do NOT exist:

   /Library/Preferences/edu.mit.Kerberos
   /etc/krb5.conf
   /usr/etc/krb5.conf

More information about the Kerberos mailing list