kinit ignores kdc in config file on Mac 10.5

Ken Raeburn raeburn at MIT.EDU
Thu Nov 13 14:04:01 EST 2008 

On Nov 13, 2008, at 12:47, petesea at bigfoot.com wrote:
> Yes... A, not SRV.  Oddly, the exact case of the realm it queries is
> mixed, eg:  COMPANY.com, instead of COMPANY.COM.  The config file only
> uses all uppercase for the realm name and all lowercase for the domain
> name in the [domain_realm] section, it never uses mixed case.

It's possible this is just an artifact of the local forwarding  
resolver code.  E.g., if it builds a tree with "com" below the root  
(because someone looked up something.com in lower case), and then  
someone looks up COMPANY.COM, it could add a node "COMPANY" below  
"com", and use those strings in building the query...

As to why it would try to contact a host matching the name of the  
realm, I don't know.  Our basic library code shouldn't do that, but  
Apple ships a couple of KDC-locating plugins in /System/Library/ 
KerberosPlugins/KerberosFrameworkPlugins which I haven't looked at.   
Our library code does allow plugins to override the config file;  
perhaps one of them is doing so.  Is the Mac joined to a domain?

If not, one of the plugins might be triggering anyways.  I'm not sure  
if it's safe to move them to another directory or "chmod 0" them, to  
try to see what's going on.  But doing it only briefly while you've  
got a command-line window open with a root shell would -- I would  
*guess* -- not be too risky.

>   - A query for an A record for the realm name by the client
>   - A response from the DNS server with 4 IP addresses
>   - An "AS-REQ" from the client to the 1st IP address
[...]

Curious, that's not quite the behavior I'd expect.

It shouldn't stop talking to the 3rd address after the first attempt,  
unless it got back a TCP RST, UDP response, or ICMP error, and decided  
it couldn't use that server.  And the delays between the passes (7s,  
then 5s) should start smaller than that, and increase.  (See around  
line 1160 in http://src.mit.edu/opengrok/xref/trunk/src/lib/krb5/os/sendto_kdc.c 
, that describes the library behavior, and what you'll see for UDP  
traffic; TCP connections are initiated in the first pass, but  
retransmissions would be managed by the OS kernel.)

But that's probably not important right now...

Ken

More information about the Kerberos mailing list