Kerberos <-> Microsoft Active Directory & DNS

Morten Sylvest Olsen mortenolsen at gmail.com
Wed Jan 28 16:57:53 EST 2009


On Jan 28, 9:27 pm, Michael B Allen <iop... at gmail.com> wrote:
> Hi Morten,
>
> It's not clear to me what component is doing a reverse lookup. What
> software is actually getting the name mixed up? Is it an LDAP client?
> What LDAP client with what Kerberos implementation? What exactly is
> the hostname that you are using with said client? You're not using an
> IP address where an FQDN hostname should be right?

No, I am not using numeric addresses. I think it happens inside the
Kerberos implementation, it correctly retrieves a tgt for the sub-
domain using my TGT for the base domain, but fails when it tries to
get the service ticket. I can see the wrong principal used in the _REQ
packet (using wireshark).

It could be the cyrus-sasl GSSAPI plugin as well. (The stack is
openldap -> SASL -> GSSAPI -> Kerberos).

> I'm not aware of any software that uses a reverse lookup to change the
> hostname before composing the principal name used to request a ticket
> (I would not be surprised if such a thing existed but if it did I
> would consider it broken).

Well, this is MIT Kerberos (on Linux). The MIT Kerberos libraries uses
DNS reverse lookup for canonization in many places, afaik.

Obviously, that is not the case for AD, I have no idea how Heimdal
behaves. I guess your Java implementation doesnt either, judging from
your statements :)

/Morten



More information about the Kerberos mailing list