Kerberos <-> Microsoft Active Directory & DNS

[Michael B Allen]

On Wed, Jan 28, 2009 at 5:38 AM, Morten Sylvest Olsen
<mortenolsen at gmail.com> wrote:
> Hi,
>
> I have an issue integrating Kerberos to AD. I believe they have an
> error in their DNS setup (based on the amount of trouble I've had
> through the years with Active Directory and DNS, yuck), but I'd like a
> second opinion, before I yell at the AD admins.
>
> The problem is that a number of AD servers in a sub-domain/sub-realm
> resolves to a name in a higher-level domain when doing a reverse
> lookup.
>
> Ie. ad1.ext.domain.org -> 1.2.3.4
> When doing a reverse lookup on 1.2.3.4 I'd get ad1.domain.org
>
> This fools Kerberos and it tries to get a key for ldap/ad1.domain.org
> instead of ldap/ad1.ext.domain.org (MIT Kerberos 1.6.1 on redhat linux
> 5)
>
> I can workaround by messing with /etc/hosts, of course.
>
> Does anyone know whether this is a "supported" configuration for
> Kerberos?

Hi Morten,

It's not clear to me what component is doing a reverse lookup. What
software is actually getting the name mixed up? Is it an LDAP client?
What LDAP client with what Kerberos implementation? What exactly is
the hostname that you are using with said client? You're not using an
IP address where an FQDN hostname should be right?

I'm not aware of any software that uses a reverse lookup to change the
hostname before composing the principal name used to request a ticket
(I would not be surprised if such a thing existed but if it did I
would consider it broken). Of course if you supplied an IP address
instead, the client would have to do a reverse lookup and that would
certainly explain the behavior you see (which I think I might still
consider broken). Or perhaps the client cannot resolve the hostname
that was supplied and there is some fallback code that is doing a
reverse lookup (which again I think I might still consider broken)?

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/