tickets with wrong DNS

steve steve at steve-ss.com
Sat Jun 7 11:11:29 EDT 2014 

On Sat, 2014-06-07 at 14:31 +0000, Brandon Allbery wrote:
> On Sat, 2014-06-07 at 16:13 +0200, steve wrote:
> > We have a Samba4 domain with some Linux clients joined under DHCP. We
> > are updating their DNS records via the nsupdate facility in SSSD. All is
> > fine, but the worrying issue is that the machines still function even
> > with the wrong rr registered in dns. Is this correct behaviour?
> 
> Nowhere near enough information to even guess... but Windows domains
> (and therefore samba4) tend to use Kerberos principals based on the
> netbios name instead of DNS name, so it's not unlikely. As to the more
> unixy stuff, if the machine(s) in question aren't servers, they likely
> don't care much about their DNS entries; the only common service that
> does is the MTA (sendmail/postfix/etc.), and these days it's rare for
> clients to run their own MTAs in anything but local queueing mode where
> a hosts file entry is generally good enough.
> 

Thanks.

The client have a keytab:
host/fqdn at REALM
host/hostname at REALM
HOSTNAME$@REALM

and a krb5.conf:
[libdefaults]
	default_realm = ALTEA.SITE
        dns_lookup_realm = false
        dns_lookup_kdc = true

Maybe that's all that is required.
 
My point is that if it doesn't matter, we can simplify the Linux client
set-ups quite a bit because we can lose the signed nsupdate stuff.

Here is a login on a client at 192.168.1.22. Change the IP and it still
works fine, even though it's not registered in the DNS db (maintained
via bind9) on the DC.

Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for
krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
$@ALTEA.SITE
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:34322 for
krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:15 starttime: unset endtime:
2014-06-08T02:59:15 renew till: 2014-06-08T16:59:14
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49450 for
ldap/palmera.altea.site at ALTEA.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2014-06-07T16:59:15 starttime:
2014-06-07T16:59:15 endtime: 2014-06-08T02:59:15 renew till:
2014-06-08T16:59:14
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:53422 for
krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
$@ALTEA.SITE
Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:52224 for
krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:21 starttime: unset endtime:
2014-06-08T02:59:21 renew till: 2014-06-08T16:59:20
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49452 for
ldap/palmera.altea.site at ALTEA.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2014-06-07T16:59:21 starttime:
2014-06-07T16:59:21 endtime: 2014-06-08T02:59:21 renew till:
2014-06-08T16:59:20
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ stevep\@ALTEA.SITE at ALTEA.SITE from
ipv4:192.168.1.22:59583 for krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- stevep
\@ALTEA.SITE at ALTEA.SITE
Kerberos: AS-REQ stevep\@ALTEA.SITE at ALTEA.SITE from
ipv4:192.168.1.22:49539 for krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- stevep
\@ALTEA.SITE at ALTEA.SITE using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime:
2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize
Kerberos: AS-REQ stevep\@ALTEA.SITE at ALTEA.SITE from
ipv4:192.168.1.22:49453 for krbtgt/ALTEA.SITE at ALTEA.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: Looking for ENC-TS pa-data -- stevep\@ALTEA.SITE at ALTEA.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- stevep
\@ALTEA.SITE at ALTEA.SITE using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime:
2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize

More information about the Kerberos mailing list