tickets with wrong DNS

Brandon Allbery ballbery at sinenomine.net
Sat Jun 7 11:25:00 EDT 2014


On Sat, 2014-06-07 at 17:11 +0200, steve wrote:
> Here is a login on a client at 192.168.1.22. Change the IP and it still
> works fine, even though it's not registered in the DNS db (maintained
> via bind9) on the DC.
> 
> Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for
> krbtgt/ALTEA.SITE at ALTEA.SITE
> Kerberos: Client sent patypes: 149
> Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE
> Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST
> $@ALTEA.SITE

It is indeed using the netbios name here, and DNS is not an issue. The
various DISCONNECTEDs don't look DNS-related; they look to me like it's
trying TCP first (normal for Windows DCs, since the Windows PAC is
usually too large for a UDP transaction) and falling back to UDP (normal
for traditional Kerberos). Depending on your configuration, you may want
to arrange for UDP to be tried first.

-- 
brandon s allbery kf8nh                           sine nomine associates
allbery.b at gmail.com                              ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad    http://sinenomine.net




More information about the Kerberos mailing list