kerberos - incorrect net address

Mon, 02 Jul 2007 21:45:55 -0700 

Could someone help me understand IP addresses, DNS, and
Kerberos on OpenBSD?

I was getting "incorrect net address" when trying to kinit,
and I found that switching 2 lines in /etc/hosts
putting first
 10.0.1.201 auth.my.realm auth
before
 ::1 auth.my.realm auth
fixed this, but I don't understand this and I suspect this means
I'm doing something else wrong.


Starting from a fresh install of OpenBSD4.1/i386
for my server alone on a test network.
The server name was set to 'auth', domain name 'my.realm',
and IP set to 10.0.1.202

Trying to get this server to act as a kdc.

I needed the server to also run DNS on this test network.
I added a forward and reverse zone to
 /var/named/etc/named.conf
  zone "my.realm" {
   type master;
   file "master/my.realm";
   forwarders { };
  }
  zone "1.0.10.in-addr.arpa" {
   type master;
   file "master/10-0-1.zone";
   forwarders { };
  }

 /var/named/master/my.realm contains
  my.realm.  IN  SOA  auth.my.realm.  root.my.realm. (...)
  @          IN  NS   auth.my.realm.
  localhost  IN  A    127.0.0.1
  auth       IN  A    10.0.1.202

 /var/named/master/10-0-1.zone contains
  @          IN  SOA  auth.my.realm.  root.my.realm. (...)
             NS       auth.my.realm.
  202        PTR      auth.my.realm.

For Kerberos, then, I tried to follow the directions at
www.h5l.se/manual/HEAD/info/heimdal.html

I created an /etc/kerberosV/krb5.conf file
 [appdefaults]
  kinit = {
   afslog = no
  }
 [libdefaults]
  default_realm = MY.REALM
 [realms]
  MY.REALM = {
   kdc = auth.my.realm
  }
 [domain_realm]
  .my.realm = MY.REALM

I made the database directory: # mkdir /var/heimdal

I initialized the realm and added a principal
 # kadmin l
 kadmin> init MY.REALM
 Realm max ticket life [unlimited]:
 ...
 kadmin>add admin
 ...

I started the kdc: # /usr/libexec/kdc &

but when I tried
 # kinit admin
  or
 # kinit admin --no-address
I got "incorrect net address"

When I checked /var/heimdal/kdc.log, the errors seemed to suggest that
::1 was the IP from which the ticket request came from, and it didn't like that.

So I changed /etc/hosts
from
 ::1 localhost.my.realm localhost
 127.0.0.1 localhost.my.realm localhost
 ::1 auth.my.realm auth
 10.0.1.202 auth.my.realm auth
to
 10.0.1.201 auth.my.realm auth
 ::1 auth.my.realm auth

and now I can successfully
 # kinit admin

But I don't understand -
It seemed that kinit was trying ::1, an IPv6 address, first.
Why this one?
Does my problem lie in my DNS configuration?
Do I need an IPv6 reverse zone file?

Any help understanding this interaction would be very appreciated.

Thanks so much.

Reply via email to