What are the issues with dns_lookup_realm ?
Brian Candler
B.Candler at pobox.com
Mon Oct 11 11:05:59 EDT 2010
On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote:
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its KDC?
> There's no KDC to KDC traffic? I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
>
> NAT>
> +-+
> client ----------------> | | ----------------> server
> | |
> | |
> KDC for | | KDC for
> FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM
> +-+
For the benefit of the list, I have set this up and it seems to work fine. I
am using vmware server. Getting the above scenario to work just involved
changing client and kdc.foo.example.com to a 'NAT' interface while
kdc.bar.example.com has a 'bridged' interface with its own IP.
* On client, do 'kinit' (gets ticket for candlerb at FOO.EXAMPLE.COM)
* On client, ssh to kdc.bar.example.com
* Cross-realm authentication works fine
I did some tcpdump testing.
When I do initial kinit: I see an exchange from client to kdc.foo only.
When I initiate ssh connection: apart from port 22 traffic I see
* kerberos exchange from client to kdc.foo
* reverse dns lookup on kdc.bar [probably sshd / tcp_wrappers]
* kerberos exchange from client to kdc.bar
kdc.bar doesn't have any /etc/hosts entry for the NAT external IP, so
doesn't seem to need it.
Regards,
Brian.
More information about the Kerberos
mailing list