Kerberos <-> Microsoft Active Directory & DNS

Michael B Allen ioplex at gmail.com
Wed Jan 28 20:25:51 EST 2009


On Wed, Jan 28, 2009 at 4:57 PM, Morten Sylvest Olsen
<mortenolsen at gmail.com> wrote:
> On Jan 28, 9:27 pm, Michael B Allen <iop... at gmail.com> wrote:
>> Hi Morten,
>>
>> It's not clear to me what component is doing a reverse lookup. What
>> software is actually getting the name mixed up? Is it an LDAP client?
>> What LDAP client with what Kerberos implementation? What exactly is
>> the hostname that you are using with said client? You're not using an
>> IP address where an FQDN hostname should be right?
>
> No, I am not using numeric addresses. I think it happens inside the
> Kerberos implementation, it correctly retrieves a tgt for the sub-
> domain using my TGT for the base domain, but fails when it tries to
> get the service ticket. I can see the wrong principal used in the _REQ
> packet (using wireshark).
>
> It could be the cyrus-sasl GSSAPI plugin as well. (The stack is
> openldap -> SASL -> GSSAPI -> Kerberos).
>
>> I'm not aware of any software that uses a reverse lookup to change the
>> hostname before composing the principal name used to request a ticket
>> (I would not be surprised if such a thing existed but if it did I
>> would consider it broken).
>
> Well, this is MIT Kerberos (on Linux). The MIT Kerberos libraries uses
> DNS reverse lookup for canonization in many places, afaik.

I know more about Heimdal than I do MIT so I don't really know how MIT
actually uses DNS reverse lookups to discover names. But if I had to
guess I would be surprised if it didn't use reverse lookups only as a
last resort in the absence of sufficient information in either the
krb5.conf or derived from DNS (someone familiar w/ the MIT
implementation please step in and correct me if necessary). You might
want to make sure your client's krb5.conf has information about all of
the domains involved.

> Obviously, that is not the case for AD, I have no idea how Heimdal
> behaves.

I'm still not really sure what the codepath and point of failure is in
your use-case so I still can't give you a definitive answer. But
Windows clients do use DNS SRV queries A LOT to discover services.
That could be related to your issue.

In general, both the MIT and Heimdal clients are not optimized for a
Windows environment. We have an AD integration product that uses
Heimdal that we made a lot of changes to try to better emulate Windows
behavior.

> I guess your Java implementation doesnt either, judging from
> your statements :)

The Java solution referenced in my sig is actually NTLM (although that
product will eventually also support Kerberos too).

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the Kerberos mailing list