krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Neulinger, Nathan nneul at umr.edu
Wed Apr 9 10:01:45 EDT 2003 

It sortof works, but not quite.

I'm able to reliably connect to the cluster with telnet this way, but I
am then unable to use those tickets locally on that machine. I get an
error from aklog about unable to convert v5 address information. Ahh...
Does however look like upgrading krb524d fixes this problem... 

SSH w/ gssapi forwarding does not work... On the server side, it
complains about misc failure, wrong principal in request, got no client
creds, then closes the connection. 

The keytab on the machines has both the cluster name and the individual
member name principals in it.

Any ideas?

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Neulinger, Nathan 
> Sent: Tuesday, April 08, 2003 4:02 PM
> To: John Hascall
> Cc: krbdev; Sam Hartman
> Subject: Re: krb5_sname_to_principal or LDAP/SASL/GSSAPI and 
> reverse DNS
> 
> 
> One approach, that I haven't had a chance to try yet:
> 
> Primary address for each cluster machine
> Cluster name, plus virtual interface cluster address for each machine
> 
> Reverse for the primary points to itself
> Reverse for the virtual addresses in the cluster point at the cluster
> name.
> 
> Put the key for both the cluster name and the primary machine name on
> each machine.
> 
> I don't know if this will work or not.
> 
> -- Nathan
> 
> On Tue, 2003-04-08 at 15:46, John Hascall wrote:
> > > The krb5 hostname handling is a real mess and I'm not 
> really sure what
> > > to do to clean it up.
> > > 
> > > You have the following incompatible use cases:
> > > 
> > > 1) People who want reverse resolution to work so that clustering
> > >    works.  I.E. dialup.university.edu will return some A 
> record that
> > >    you want to reverse resolve because it is some instance of
> > >    dialup.university.edu.
> > > 
> > > 
> > > 2) People who have broken reverse DNS and who just want a 
> forward lookup.
> > > 
> > > 3) People who want no hostname canonicalization at all 
> because they
> > >     actually want security.
> > > 
> > > Suggestions on how we can improve the mess greatly appreciated.
> > 
> > It seems to me that you can either:
> >   1) choose 1 of those, (either convincing or annoying 
> everyone else),
> >   2) have a way to choose among them.
> >      a) config file option, or
> >      b) command line arg, or
> >      c) something else?
> > 
> > With #1 it seems to me that you can often workaround that by putting
> > the generic key on every machine in the cluster like this:
> > 
> > # klist -srvtab
> > Server key file:   /etc/srvtab
> > Service         Instance        Realm      Key Version
> > ------------------------------------------------------
> > rcmd            asw-1           IASTATE.EDU     3
> > rcmd            asw             IASTATE.EDU     3
> > 
> > (excuse the V4-ness of my example :)
> > 
> > I would be interested in hearing more about #3 (how does
> > hostname canonicalization == no security?)
> > 
> > 
> > John
> > 
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> -- 
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list