Kerberos on Mac
Todd Grayson
tgrayson at cloudera.com
Mon May 15 13:42:03 EDT 2017
I would work to get forward/reverse DNS consistent rather than attempting
to configure around this.
But for reference's sake, the JGSS catalogs its supported settings is here:
"Supported krb5.conf Settings"
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
rdns is not available, there is a "noaddresses" but that seems to be more
for NAT handling.
On Mon, May 15, 2017 at 10:56 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 05/15/2017 06:43 AM, Matt Darwin wrote:
> > So it looks like the client is sending
> >
> > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
> >
> > as the SnameString (presumably the SPN), when it should be sending:
> >
> > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
>
> I don't appear to have access to your DNS information from here. My
> guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
> result of a PTR query on the IP address of the server, while
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
> name.
>
> If I'm right about that, what you're looking for is a way to get the JVM
> Kerberos implementation to suppress the reverse DNS lookup when
> canonicalizing the server name. In MIT krb5, that would be accomplished
> with the "rdns" setting in krb5.conf; for details, see:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
>
> It's possible that the same setting might work for the Java
> implementation, but I'm not certain.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list