What are the issues with dns_lookup_realm ?
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Oct 4 17:27:37 EDT 2010
On 10/4/2010 5:11 PM, Brian Candler wrote:
> On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
>> On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
>>> (1) What DNS lookups are made by the workstation and/or the server when a
>>> connection takes place?
>>
>> pc.foo.example.com looks up a TXT record for
>> _kerberos.server.bar.example.com.
>
> OK, that makes sense. The server doesn't care anything about the hostname/IP
> of the client, as the client has already authenticated into a particular
> realm. But the client has to work out which realm the server belongs to,
> and to trade tickets as necessary to prove its identity to the server in
> another realm.
>
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its KDC?
> There's no KDC to KDC traffic?
there is no server to kdc traffic. it is all client to kdc.
> I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
>
> NAT>
> +-+
> client ----------------> | | ----------------> server
> | |
> | |
> KDC for | | KDC for
> FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM
> +-+
>
> If the communication goes
> client -> KDC FOO
> client -> KDC BAR
> server -> KDC BAR
> then I think it should work. I'll need a more complex testbed to try it out
> though :-)
>
client->server
client -> KDC FOO
client -> KDC BAR
client -> server
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101004/1a1e6188/attachment.bin
More information about the Kerberos
mailing list