What are the issues with dns_lookup_realm ?

Brian Candler B.Candler at pobox.com
Mon Oct 11 11:05:59 EDT 2010


On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote:
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its KDC? 
> There's no KDC to KDC traffic?  I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
> 
>                               NAT>
>                               +-+
>     client  ----------------> | | ----------------> server
>                               | |
>                               | |
>      KDC for                  | |          KDC for
>   FOO.EXAMPLE.COM             | |      BAR.EXAMPLE.COM
>                               +-+

For the benefit of the list, I have set this up and it seems to work fine. I
am using vmware server.  Getting the above scenario to work just involved
changing client and kdc.foo.example.com to a 'NAT' interface while
kdc.bar.example.com has a 'bridged' interface with its own IP.

* On client, do 'kinit' (gets ticket for candlerb at FOO.EXAMPLE.COM)
* On client, ssh to kdc.bar.example.com
* Cross-realm authentication works fine

I did some tcpdump testing.

When I do initial kinit: I see an exchange from client to kdc.foo only.

When I initiate ssh connection: apart from port 22 traffic I see
* kerberos exchange from client to kdc.foo
* reverse dns lookup on kdc.bar [probably sshd / tcp_wrappers]
* kerberos exchange from client to kdc.bar

kdc.bar doesn't have any /etc/hosts entry for the NAT external IP, so
doesn't seem to need it.

Regards,

Brian.



More information about the Kerberos mailing list