IPv6_ONLY on Snow Leopard
nudge
nudgemac at fastmail.fm
Tue Mar 20 08:18:42 EDT 2012
(Following on)
Regarding my query for IPv6, it alters with changing network conditions.
My problem was that when disconnected from the network Kerberos was only
listening on the IPv6 loopback, and I hadn't taken that into account in
my config.
Regarding the LKDC concept, a search of the archives revealed only one
(unrelated) thread in August 2009.
So here's what I'm trying to do:
(on a laptop client)
[libdefaults]
dns_lookup_realm=true
dns_lookup_kdc=false
dns_fallback=yes
realm_try_domains=1
(etc)
[realms]
EXAMPLE.COM = {
admin_server = kdc.example.com
kdc = kdc.example.com
kadmind_port = 749
kpasswd_port = 464
kdc_tcp_ports = 88,750
default_domain = example.com
(etc)
}
LKDC:SHA1.somelonghash = {
admin_server = fe80::1
admin_server = 127.0.0.1
kdc = fe80::1
kdc = 127.0.0.1
kadmind_port = 749
kpasswd_port = 464
default_domain = myhostname.local
(etc)
}
[domain_realm]
myhostname.local = LKDC:SHA1.somelonghash
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
So no default realm, it's selected according to changing network
conditions. When there's no network connection or no DNS available, the
hostname changes to myhostname.local and so the LKDC is used. If
connected to our internally controlled network the hostname changes to
myhostname.example.com and the network KDC is used. This seems to be a
possible solution for dealing with mobile clients. Does my config look
okay or perhaps it's better to make the LKDC the default realm ?
But what about when a mobile client connects via a network controlled by
someone else and gets given a different domain name ?
(:can I add this to my client config:)
myhostname.* = EXAMPLE.COM
or
myhostname. = EXAMPLE.COM
I imagine that's not going to work. In which case, what workable options
do I have for this scenerio please ? There's perhaps a cross realm
authentication solutuon, but I'd guess that it's a bad idea to install
krbtgt keytabs from the central KDC on my mobile clients.
Also, if it's not asking too much, what are my options for peer to peer
authentication here ?
On Sun, Mar 18, 2012, at 11:59 AM, nudge wrote:
> Dear list
>
> I'm using Snow Leopard 10.6.8 server and clients (with no plans to
> upgrade) and trying to leverage this interesting LKDC system (that I
> heard MIT helped Apple develop).
>
> Whilst testing a client it seems that Kerberos is listening on IPv6
> ports only (according to netstat). How can I control that, for instance
> to use IPv4 only ?
>
> Also, exactly what version of MIT Kerberos runs on Snow Leopard 10.6.8
> please ?
>
> Appologies for any dumbness on my behalf but I've been unable to find
> out the answers.
>
> Thanks in advance for any helpful information.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list