How can I verify that my service principal will pass the DNS test?
Matthew M. DeLoera
mdeloera at exacq.com
Fri Feb 5 14:25:59 EST 2010
Hello,
I have discovered a scenario where I pass my intended service principal
"EDVR at exacq-axis-2003.demo.test.exacq.com" into gss_import_name and
gss_init_sec_context, only to end up failing because the reverse-DNS
lookup came back with "66-162-54-85.static.twtelecom.net" instead. So,
WireShark instead shows a TGS-REQ for
"EDVR/66-162-54-85.static.twtelecom.net".
In both Linux (Ubuntu) and Mac OS X, I do also find that if I put my
intended FQDN (exacq-axis-2003.demo.test.exacq.com) into my host file
for 192.168.100.30, everything does work.
Can any of you suggest something that I can tell my users, or put in my
user's guide, to help prevent them from encountering this? Sadly, I
don't know DNS very well, nor do I know exactly how/when a host file
trumps DNS.
I guess as an alternative, is there an existing call by which I can ask
through GSS to find out what service principal it's ultimately going to
use, making it do its DNS validation, to log in my log file? If I could
at least show that the failure was due to DNS configuration, it would
help me a lot.
Thanks!
- Matthew
More information about the krbdev
mailing list