Kerberos on Mac
Matt Darwin
mattdarwin at gmail.com
Mon May 15 06:43:45 EDT 2017
Hi Glenn, Greg,
Thanks for your input.
I’ve now done some debugging with Wireshark and found what I believe to be
the smoking gun:
So it looks like the client is sending
oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
as the SnameString (presumably the SPN), when it should be sending:
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
I’ve updated the ticket with the details:
http://stackoverflow.com/questions/43685086
So question is, how do I persuade the JVM built-in kerberos client to
change the way it looks up server hosts? Or is there genuinely a DNS
change required?
Bear in mind I have the following /etc/hosts entry:
10.252.134.51 d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
Thanks,
Matt
On 12 May 2017 at 16:40, Greg Hudson <ghudson at mit.edu> wrote:
> On 05/12/2017 11:28 AM, Matt Darwin wrote:
> > I’ve written a detailed description of the problem on stack overflow :
> http://stackoverflow.com/questions/43685086/
>
> I read this, and I don't see in there the server principal name in the
> TGS request on macOS and on Linux. You might be able to obtain that
> with wireshark or similar if you can't get it out of the JVM. That
> information, together with knowledge of your DNS configuration, might
> provide a hint as to what's going on.
>
> Note that the JVM has its own Kerberos implementation, which is separate
> from MIT krb5, Heimdal, or the macOS fork of Heimdal. (I believe it's
> possible to use a shim to force it to call out to the C library, but
> from the stack trace it doesn't appear that you're doing that.) So the
> output you're getting from krb5-config --version is irrelevant, as is
> using brew to install a newer C library.
>
More information about the Kerberos
mailing list