Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Sam Hartman]

> "Jesper" == Jesper Krogh  writes:

Jesper> Hi Russ.  I cannot say anything about what other are
Jesper> Would a patch that makes the behaviour configurable be
Jesper> acceptable?

I think that this patch should be accepted only if upstream is
interested in the patch.  Given that upstream accepted rdns (something I
thought was kind of dubious at the time), a patch to completely disable
dns processing seems reasonable.  

Apple's Kerberos maintainer argues that this behavior really needs to be
configured on a per-realm basis.  Unfortunately, because of the way
krb5_sname_to_principal interacts with referrals makes this kind of
tricky.  If I were upstream I'd require the design of the patch to be
forward-compatible to an eventual model where it was
configured/auto-detected on a per-realm basis and the behavior of any
configuration knobs you add to be documented well enough so that people
would understand how they will behave in the future, but beyond that
would accept the patch.
So, if upstream agrees with me here, you'd have to do somewhat more
design work up front, but the actual patch would be simple.

I'm certainly happy to accept such a patch into Debian as soon as
upstream accepts it and to encourage Ubuntu to accept it.

I don't have the time facilitate the discussion between you and
upstream; I wish I did.  my recommendation for interacting with upstream
is to bring up the issue on krb...@mit.edu and to include the URI of
this bug report.

Kerberos DNS behavior is complicated enough that having Ubuntu or Debian
diverge from upstream seems undesirable, so I think involving upstream
in the discussion is important.

--Sam

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Sam Hartman]

In terms of work arounds, if your KDC is an AD KDc, you can add the
final hostnames as ServicePrincipalName attributes on AD for the account
in question.  That should make things work either for a Windows server
or for a 1.7+ MIT server.

If your KDC is Unix you can add principals for the final hostnames. If
your eventual server is Windows you'll need to make sure the key and
salt is the same for all these principals.  If your server is Unix,
simply add all the keys to the keytab.

--Sam

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Russ Allbery]

Sam Hartman  writes:

> Well, everything should work fine if you make your DNS consistent.

> Honestly if I was going to make a behavior change here I'd have Firefox
> call gss_import_name with a name type that does not involve resolution.

The main place where you cannot make DNS consistent is if you have a web
service that uses DNS-based load-balancing.  That's where we ran into that
issue.  The public name is a CNAME that points to the least-loaded host
(which is dynamically discovered by the DNS server).

-- 
Russ Allbery (r...@debian.org)   

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Sam Hartman]

Well, everything should work fine  if you make your DNS consistent.

Honestly if I was going to make a behavior change here I'd have Firefox
call gss_import_name with a name type that does not involve resolution.

--Sam

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Russ Allbery]

Jesper Krogh  writes:

> Never the less it is a change from earlier versions of Ubuntu and a
> change that makes Ubuntu + Firefox work in a different way than MS
> Windows + MSIE (negoiating different tickets), thus breaking Single
> Signon in typical Kerberos enabled environments.. our is a corporate one
> with Active Directory as Kerbereos and both MS IIS and Ubuntu Apache +
> mod_auth_kerb on the serverside.

> Used to work.. lucid breaks it..

I'm confused why you're seeing a change, since in my experience it's been
this way for quite some time.  Firefox used the final hostname, whereas IE
always used the URL name.  When we deployed Negotiate-Auth with
mod_auth_kerb, we had to add both principals to the server keytab.  Many
other people had the same issue, as discussed on the mod_auth_kerb mailing
list, which is why mod_auth_kerb added an option to use any principal in
its keytab.  This all happened back in 2007 for us.

-- 
Russ Allbery (r...@debian.org)   

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 571572] Re: krb5 prefers the reverse pointer no matter what for locating service tickets.

[Sam Hartman]

The Kerberos Consortium has a paper on integrating Kerberos into an
application; see http://www.kerberos.org/software/appskerberos.pdf .

I believe that the lucid behavior is correct according to MIT's
documentation: what should be happening is that

* with rdns=true (default), both forward and reverse resolution is
  performed and the reverse name is used

* With rdns=false, forward resolution is performed including alias
  resolution--that is cnames turn into the pointed-to value not the
  entered value.

That behavior seems consistent with the code.  If you believe that
things aren't working that way, then I can attempt to reproduce.

As I understand your patch, it would (on some platforms including all
Ubuntu platforms) cause the rdns=false behavior to actually skip
resolution and just use the entered name not resolving cnames.

It's possible there was a bug in previous releases of MIT Kerberos and
this was the behavior.

I also understand that the behavior surrounding Kerberos and DNS is kind
of complicated and not entirely desirable.  The paper I pointed you at
includes discussions of problems with the current behavior and eventual
goals.  It also recommends ways applications can avoid forward/reverse
DNS resolution if they wish to do so.

-- 
krb5 prefers the reverse pointer no matter what for locating service tickets.  
https://bugs.launchpad.net/bugs/571572
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs