Kerberos (MIT] client gets double service tickets when using DNS for Realm lookup

MheAd · 06-30-2010, 09:41 AM

Hi guys,
I've noticed a strange side effect when using minimalistic krb5.conf file, making the Kerberos client use DNS for KDC / Realm lookups. All services work fine, I just can't figure out why this happens.

First off, here's how I configured my client machines krb5.conf

Code:

[libdefaults]
forwardable = true
dns_lookup_realm = true
dns_lookup_kdc = true

My DNS is configured as following (the domain / realm are my-domain.xx / MY-DOMAIN.XX) :

Code:

$ORIGIN my-domain.xx.

_kerberos._udp                  IN SRV 1 0 88   centos-server1
_kerberos._tcp                  IN SRV 1 0 88   centos-server1
_kerberos-adm_tcp               IN SRV 1 0 749  centos-server1
_kpasswd._udp                   IN SRV 1 0 464  centos-server1
_kerberos.my-domain.xx.         IN TXT "MY-DOMAIN.XX"

With stuff configured this way, I'm able to authenticate myself against KDC, get TGT, contact kerberized services / hosts with no problems whatsoever. However, I've noticed that I'm getting double instances of service / host tickets for every single service I connect to, one with Realm-info included, the other one without. As you can see on the example, I've got two tickets for the same principal, only slightly different:

Quote:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mhead@MY-DOMAIN.XX

Valid starting Expires Service principal
06/30/10 16:14:33 07/01/10 02:14:33 krbtgt/MY-DOMAIN.XX@MY-DOMAIN.XX
renew until 07/01/10 16:14:46
06/30/10 16:14:44 07/01/10 02:14:33 host/debian-server.my-domain.xx@
renew until 07/01/10 16:14:46
06/30/10 16:14:44 07/01/10 02:14:33 host/debian-server.my-domain.xx@MY-DOMAIN.XX
renew until 07/01/10 16:14:46

Why this happens I have no clue. Everything works though how it should. Later on, after investigating, I've noticed that, if I add following rows in the krb5.conf of the clients:

Code:

[domain_realm]
my-domain.xx = MY-DOMAIN.XX
.my-domain.xx = MY-DOMAIN.XX

Then I get the normal single-tickets.
However, this makes me thinking - isn't one of the purposes of the IN TXT DNS-record that I have exactly to do these mappings, so I don't have to add these [domain_realm] stanzas manually?

Any ideas?
Thanks in advance!