Kerberos canonicalization problem

Lorenzo Costanzia lorenzo.c at temporaryforwarding.com
Sat Feb 14 06:38:45 EST 2009 

On 2009-02-13 19:41:41 +0100, Ken Raeburn <raeburn at MIT.EDU> said:

> 
> On Feb 13, 2009, at 06:23, Lorenzo Costanzia wrote:
> 
>> Hi everybody,
>> 
>> I'm trying to set up a AFP server with (MIT) Kerberos authentication
>> and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
>> my home network (which uses a private .lan top level domain). The AFP
>> server works beautifully when connecting "directly" to it.
>> 
>> But when I try to connect to the AFP after discovery via dns-sd, the
>> client tries to fetch a
>> "afpserver/afp.lan. at MYREALM.LAN" ticket (note the trailing dot in the
>> SPN), which doesn't exist, so authentication fails. (This is btw the
>> correct behavior of dns-sd, which always gives back the more verbose
>> "form" of the hostname with trailing dot.)
> 
> I'm not familiar with dns-sd, but my first thought would be that the  
> correct behavior for the resolver APIs for producing fully-qualified  
> DNS names is to omit the dot.  (There is the argument that the  
> trailing dot indicates it's anchored at the root instead of possibly a  
> relative name, but in some cases where a name is unambiguously known  
> to be fully-qualified, including some standard APIs, the trailing dot  
> is omitted.)  I've looked at a few pages on the dns-sd.org web pages,  
> and it just sounds to me like they're just being aggressive about  
> making the names explicitly fully-qualified when the option is  
> available.  But they're talking about GUIs like web browsers, and I'm  
> interested in programming APIs.

You're right. I stated above that the "dotted form" is the correct 
behavior, but in the RFC doesn't explicitly say so. But as far as I 
understood, Apples implementation (which is the main proponent of 
Bonjour) _does_ return the dotted form, so their applications like 
Safari, iChat and especially the AFP client built into the Finder use 
also this form. There is not much I can do about it.

> The standard DNS-host-based principal representation in Kerberos is  
> for the second component to be the fully-qualified domain name,  
> without the trailing dot.
> 
> At some point, the hostname gets translated into a principal name.  It  
> might be the right answer for the trailing dot to be omitted at that  
> point -- but then, without knowing why or how dns-sd is special in one  
> case, I have no idea whether it should be treated specially in the  
> other case.

I personally think this would be the right way, as the dot explicitly 
states: this is a FQDN, there's no need to canonicalize the hostname 
further, simply remove the trailing dot and use it. And I guess there 
are not many way this root label (the dot) would get appended if it 
_were not_ a FQDN, so it should work out in most situations.
But your mileage may vary, and of course when introducing a new 
arbitrary (albeit somewhat understandable) rule one should always 
balance benefits and drawbacks (in this case potential confusion)...

> Actually, it looks like we *have* code in one of the code paths (in  
> the library function krb5_sname_to_principal) for removing a trailing  
> dot, because the Windows APIs (in at least one beta version) behaved  
> differently from everyone else.  So I don't think they're using that  
> function to generate principal names.  Which leads to the question of  
> how the AFP client *is* generating principal names; perhaps it's a bug  
> in that code?  Do you have access to the AFP client code, to see what  
> it's doing?

No, it's proprietary software, and I'm using Mac OS X. As said above, I 
guess that this behavior is intentional, see 
http://developer.apple.com/documentation/Cocoa/Conceptual/NetServices/Articles/domainnames.html#//apple_ref/doc/uid/TP40002460 
where they explain specifically the meaning of the trailing dot.

>> Now I can't simply add "afpserver/afp.lan." principal, as the AFP
>> server accepts only one principal,
> 
> That's arguably a bug, as even with ordinary DNS a host could have  
> multiple names mapping to its IP address(es).

I agree.

>> and I want to be able to connect
>> both "directly" and via dns-sd.
> 
> 
>> However, when the client connects to the KDC asking for that
>> nonexistent service principal, the "canonicalization" flag is set, but
>> the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
>> 
>> Now is there a way to activate kdc-side canonicalization and/or  setup a
>> static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?
> 
> Not currently, no.  In the 1.7 alpha release we recently put out,  
> there are hooks for the database back end (which may be turning into  
> "the interface to the rest of all your infrastructure including  
> Kerberos principal data and other things") to do alias processing, but  
> we don't have any alias processing currently defined in the database  
> back ends we ship, nor any general heuristics applied in the main KDC  
> code.
> 
> If you feel like writing KDC code, I could probably tell you where to  
> look to drop it in...

Thanks for the offer, however, I'm not a programmer...
> 
> Ken

Thank you for your long and informative answer.

Take care,
Lorenzo Costanzia

More information about the Kerberos mailing list