krb5

Earl Killian kerberos at lists.killian.com
Tue Oct 17 18:04:20 EDT 2017


I am using the krb5-1.12.5 port that comes with openSUSE 42.3. Recently
the SuSE distro changed their krb5.conf to include

	dns_canonicalize_hostname = false
	rdns = false

This was supposedly for security, so I applied the above to my own
krb5.conf. However, this change broke kprop. On the Kerberos master host
alpha.sub.killian.com (192.168.1.5) I did

# kinit root/admin
# kprop -f KILLIAN.COM.dump -ddd beta.killian.com
kprop: Client not found in Kerberos database while getting initial ticket

I then find in the KRB5_TRACE file:

[24229] 1508275209.426788: Convert service (null) (service with host as instance) on host (null) to principal
[24229] 1508275209.426802: Remote host after reverse DNS processing: alpha
[24229] 1508275209.426814: Got service principal host/alpha@
[24229] 1508275209.426821: Initializing MEMORY:_kproptkt with default princ host/alpha at KILLIAN.COM
[24229] 1508275209.426826: Convert service host (service with host as instance) on host beta.killian.com to principal
[24229] 1508275209.426828: Remote host after reverse DNS processing: beta.killian.com
[24229] 1508275209.426832: Got service principal host/beta.killian.com at KILLIAN.COM
[24229] 1508275209.426842: Getting initial credentials for host/alpha at KILLIAN.COM
[24229] 1508275209.426872: Setting initial creds service to host/beta.killian.com at KILLIAN.COM
[24229] 1508275209.426905: Sending request (164 bytes) to KILLIAN.COM
[24229] 1508275209.426928: Resolving hostname alpha.sub.killian.com
[24229] 1508275209.427107: Sending initial UDP request to dgram 192.168.1.5:88
[24229] 1508275209.427221: Received answer (182 bytes) from dgram 192.168.1.5:88
[24229] 1508275209.427233: Response was not from master KDC
[24229] 1508275209.427242: Received error from KDC: -1765328378/Client not found in Kerberos database
[24229] 1508275209.427264: Destroying ccache MEMORY:_kproptkt

So it appears that it is not using the FQDN for the initiating host when
determining a principal (see the 4th line above where it says
"host/alpha" instead of "host/alpha.sub.killian.com").

So obviously I removed the two new "security" lines from my krb5.conf to
restore things to a working situation. However, I would like to inquire
of the mailing list how things are supposed to work when those are set
to false as in the openSUSE distro.

-Earl






More information about the Kerberos mailing list