What are the issues with dns_lookup_realm ?

Jeffrey Altman jaltman at secure-endpoints.com
Mon Oct 4 17:27:37 EDT 2010


 On 10/4/2010 5:11 PM, Brian Candler wrote:
> On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
>> On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
>>> (1) What DNS lookups are made by the workstation and/or the server when a
>>> connection takes place?
>>
>> pc.foo.example.com looks up a TXT record for
>> _kerberos.server.bar.example.com.
>
> OK, that makes sense. The server doesn't care anything about the hostname/IP
> of the client, as the client has already authenticated into a particular
> realm.  But the client has to work out which realm the server belongs to,
> and to trade tickets as necessary to prove its identity to the server in
> another realm.
>
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its KDC? 
> There's no KDC to KDC traffic?  

there is no server to kdc traffic.  it is all client to kdc.

> I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
>
>                               NAT>
>                               +-+
>     client  ----------------> | | ----------------> server
>                               | |
>                               | |
>      KDC for                  | |          KDC for
>   FOO.EXAMPLE.COM             | |      BAR.EXAMPLE.COM
>                               +-+
>
> If the communication goes
>   client -> KDC FOO
>   client -> KDC BAR
>   server -> KDC BAR
> then I think it should work. I'll need a more complex testbed to try it out
> though :-)
>

client->server
client -> KDC FOO
client -> KDC BAR
client -> server




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101004/1a1e6188/attachment.bin


More information about the Kerberos mailing list