Re: krb5
On Tue, Oct 17, 2017 at 03:04:20PM -0700, Earl Killian wrote: > So obviously I removed the two new "security" lines from my krb5.conf to > restore things to a working situation. However, I would like to inquire > of the mailing list how things are supposed to work when those are set > to false as in the openSUSE distro. Most likely, your system is configured such that (some things) think that the local hostname is just "alpha", not the fully-qualified form. So, the output of `hostname` and `hostname -f` are interesting, as is the contents of /etc/hosts. -Ben Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
krb5
I am using the krb5-1.12.5 port that comes with openSUSE 42.3. Recently the SuSE distro changed their krb5.conf to include dns_canonicalize_hostname = false rdns = false This was supposedly for security, so I applied the above to my own krb5.conf. However, this change broke kprop. On the Kerberos master host alpha.sub.killian.com (192.168.1.5) I did # kinit root/admin # kprop -f KILLIAN.COM.dump -ddd beta.killian.com kprop: Client not found in Kerberos database while getting initial ticket I then find in the KRB5_TRACE file: [24229] 1508275209.426788: Convert service (null) (service with host as instance) on host (null) to principal [24229] 1508275209.426802: Remote host after reverse DNS processing: alpha [24229] 1508275209.426814: Got service principal host/alpha@ [24229] 1508275209.426821: Initializing MEMORY:_kproptkt with default princ host/al...@killian.com [24229] 1508275209.426826: Convert service host (service with host as instance) on host beta.killian.com to principal [24229] 1508275209.426828: Remote host after reverse DNS processing: beta.killian.com [24229] 1508275209.426832: Got service principal host/beta.killian@killian.com [24229] 1508275209.426842: Getting initial credentials for host/al...@killian.com [24229] 1508275209.426872: Setting initial creds service to host/beta.killian@killian.com [24229] 1508275209.426905: Sending request (164 bytes) to KILLIAN.COM [24229] 1508275209.426928: Resolving hostname alpha.sub.killian.com [24229] 1508275209.427107: Sending initial UDP request to dgram 192.168.1.5:88 [24229] 1508275209.427221: Received answer (182 bytes) from dgram 192.168.1.5:88 [24229] 1508275209.427233: Response was not from master KDC [24229] 1508275209.427242: Received error from KDC: -1765328378/Client not found in Kerberos database [24229] 1508275209.427264: Destroying ccache MEMORY:_kproptkt So it appears that it is not using the FQDN for the initiating host when determining a principal (see the 4th line above where it says "host/alpha" instead of "host/alpha.sub.killian.com"). So obviously I removed the two new "security" lines from my krb5.conf to restore things to a working situation. However, I would like to inquire of the mailing list how things are supposed to work when those are set to false as in the openSUSE distro. -Earl Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
