Kerberos on Mac

Greg Hudson ghudson at mit.edu
Mon May 15 12:56:52 EDT 2017


On 05/15/2017 06:43 AM, Matt Darwin wrote:
> So it looks like the client is sending 
> 
> oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
> 
> as the SnameString (presumably the SPN), when it should be sending:
> 
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com

I don't appear to have access to your DNS information from here.  My
guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
result of a PTR query on the IP address of the server, while
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
name.

If I'm right about that, what you're looking for is a way to get the JVM
Kerberos implementation to suppress the reverse DNS lookup when
canonicalizing the server name.  In MIT krb5, that would be accomplished
with the "rdns" setting in krb5.conf; for details, see:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html

It's possible that the same setting might work for the Java
implementation, but I'm not certain.



More information about the Kerberos mailing list