IPv6_ONLY on Snow Leopard

nudge nudgemac at fastmail.fm
Tue Mar 20 08:18:42 EDT 2012


(Following on)

Regarding my query for IPv6, it alters with changing network conditions.
My problem was that when disconnected from the network Kerberos was only
listening on the IPv6 loopback, and I hadn't taken that into account in
my config.

Regarding the LKDC concept, a search of the archives revealed only one
(unrelated) thread in August 2009. 
So here's what I'm trying to do:

(on a laptop client)
[libdefaults]
dns_lookup_realm=true
dns_lookup_kdc=false
dns_fallback=yes
realm_try_domains=1
(etc)

[realms]
   EXAMPLE.COM = {
      admin_server = kdc.example.com
      kdc = kdc.example.com
      kadmind_port = 749
      kpasswd_port = 464
      kdc_tcp_ports = 88,750
      default_domain = example.com
      (etc)
   }
   LKDC:SHA1.somelonghash = {
      admin_server = fe80::1
      admin_server = 127.0.0.1
      kdc = fe80::1
      kdc = 127.0.0.1
      kadmind_port = 749
      kpasswd_port = 464
      default_domain = myhostname.local
      (etc)
    }
[domain_realm]
    myhostname.local = LKDC:SHA1.somelonghash
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

So no default realm, it's selected according to changing network
conditions. When there's no network connection or no DNS available, the
hostname changes to myhostname.local and so the LKDC is used. If
connected to our internally controlled network the hostname changes to
myhostname.example.com and the network KDC is used. This seems to be a
possible solution for dealing with mobile clients. Does my config look
okay or perhaps it's better to make the LKDC the default realm ?

But what about when a mobile client connects via a network controlled by
someone else and gets given a different domain name ?

(:can I add this to my client config:)

    myhostname.* = EXAMPLE.COM
or
    myhostname.  = EXAMPLE.COM      

I imagine that's not going to work. In which case, what workable options
do I have for this scenerio please ? There's perhaps a cross realm
authentication solutuon, but I'd guess that it's a bad idea to install
krbtgt keytabs from the central KDC on my mobile clients. 

Also, if it's not asking too much, what are my options for peer to peer
authentication here ? 



On Sun, Mar 18, 2012, at 11:59 AM, nudge wrote:
> Dear list
> 
> I'm using Snow Leopard 10.6.8 server and clients (with no plans to
> upgrade) and trying to leverage this interesting LKDC system (that I
> heard MIT helped Apple develop).
> 
> Whilst testing a client it seems that Kerberos is listening on IPv6
> ports only (according to netstat). How can I control that, for instance
> to use IPv4 only ? 
> 
> Also, exactly what version of MIT Kerberos runs on Snow Leopard 10.6.8
> please ?
> 
> Appologies for any dumbness on my behalf but I've been unable to find
> out the answers.
> 
> Thanks in advance for any helpful information.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


More information about the Kerberos mailing list