On Wed, Jan 28, 2009 at 4:57 PM, Morten Sylvest Olsen <mortenol...@gmail.com> wrote: > On Jan 28, 9:27 pm, Michael B Allen <iop...@gmail.com> wrote: >> Hi Morten, >> >> It's not clear to me what component is doing a reverse lookup. What >> software is actually getting the name mixed up? Is it an LDAP client? >> What LDAP client with what Kerberos implementation? What exactly is >> the hostname that you are using with said client? You're not using an >> IP address where an FQDN hostname should be right? > > No, I am not using numeric addresses. I think it happens inside the > Kerberos implementation, it correctly retrieves a tgt for the sub- > domain using my TGT for the base domain, but fails when it tries to > get the service ticket. I can see the wrong principal used in the _REQ > packet (using wireshark). > > It could be the cyrus-sasl GSSAPI plugin as well. (The stack is > openldap -> SASL -> GSSAPI -> Kerberos). > >> I'm not aware of any software that uses a reverse lookup to change the >> hostname before composing the principal name used to request a ticket >> (I would not be surprised if such a thing existed but if it did I >> would consider it broken). > > Well, this is MIT Kerberos (on Linux). The MIT Kerberos libraries uses > DNS reverse lookup for canonization in many places, afaik.
I know more about Heimdal than I do MIT so I don't really know how MIT actually uses DNS reverse lookups to discover names. But if I had to guess I would be surprised if it didn't use reverse lookups only as a last resort in the absence of sufficient information in either the krb5.conf or derived from DNS (someone familiar w/ the MIT implementation please step in and correct me if necessary). You might want to make sure your client's krb5.conf has information about all of the domains involved. > Obviously, that is not the case for AD, I have no idea how Heimdal > behaves. I'm still not really sure what the codepath and point of failure is in your use-case so I still can't give you a definitive answer. But Windows clients do use DNS SRV queries A LOT to discover services. That could be related to your issue. In general, both the MIT and Heimdal clients are not optimized for a Windows environment. We have an AD integration product that uses Heimdal that we made a lot of changes to try to better emulate Windows behavior. > I guess your Java implementation doesnt either, judging from > your statements :) The Java solution referenced in my sig is actually NTLM (although that product will eventually also support Kerberos too). Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos