Kerberos <-> Microsoft Active Directory & DNS

Morten Sylvest Olsen mortenolsen at gmail.com
Thu Jan 29 04:58:38 EST 2009


On Jan 29, 2:25 am, Michael B Allen <iop... at gmail.com> wrote:
> >> I'm not aware of any software that uses a reverse lookup to change the
> >> hostname before composing the principal name used to request a ticket
> >> (I would not be surprised if such a thing existed but if it did I
> >> would consider it broken).
>
> > Well, this is MIT Kerberos (on Linux). The MIT Kerberos libraries uses
> > DNS reverse lookup for canonization in many places, afaik.
>
> I know more about Heimdal than I do MIT so I don't really know how MIT
> actually uses DNS reverse lookups to discover names. But if I had to
> guess I would be surprised if it didn't use reverse lookups only as a
> last resort in the absence of sufficient information in either the
> krb5.conf or derived from DNS (someone familiar w/ the MIT
> implementation please step in and correct me if necessary). You might
> want to make sure your client's krb5.conf has information about all of
> the domains involved.

Well, that would kind of defeat the entire purpose of not having to,
because DNS SRV lookups are used for finding KDC's,
and AD afaik *always* has a 1-1 mapping between domains and realms?
Normally, it isn't necessary to configure anything except
dns_lookup_realm and dns_lookup_kdc, when I've previously integrated
to AD's.

> In general, both the MIT and Heimdal clients are not optimized for a
> Windows environment. We have an AD integration product that uses
> Heimdal that we made a lot of changes to try to better emulate Windows
> behavior.

Yes, I can imagine that. I believe the samba people has had a lot of
issues as well. I resorted to reading the code, I guess somebody at
MIT agrees with you:

 if (maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) {
                /*
                 * Do a reverse resolution to get the full name, just
in
                 * case there's some funny business going on.  If
there
                 * isn't an in-addr record, give up.
                 */
                /* XXX: This is *so* bogus.  There are several cases
where
                   this won't get us the canonical name of the host,
but
                   this is what we've trained people to expect.  We'll
                   probably fix it at some point, but let's try to
                   preserve the current behavior and only shake things
up
                   once when it comes time to fix this lossage.  */

For posterity, I did find a good thread on this exact problem on the
MIT kerberos mailing list:

http://mailman.mit.edu/pipermail/krbdev/2005-September/003724.html

The AD administrators have actually conceded that the DNS may be
wrong, I'm not sure whether they'll be able to change it. We'd have to
use krb5.conf or hosts tricks otherwise.

Thanks for your input,

/Morten



More information about the Kerberos mailing list