Hi guys,
I've noticed a strange side effect when using minimalistic krb5.conf file, making the Kerberos client use DNS for KDC / Realm lookups. All services work fine, I just can't figure out why this happens.
First off, here's how I configured my client machines krb5.conf
Code:
[libdefaults]
forwardable = true
dns_lookup_realm = true
dns_lookup_kdc = true
My DNS is configured as following (the domain / realm are my-domain.xx / MY-DOMAIN.XX) :
Code:
$ORIGIN my-domain.xx.
_kerberos._udp IN SRV 1 0 88 centos-server1
_kerberos._tcp IN SRV 1 0 88 centos-server1
_kerberos-adm_tcp IN SRV 1 0 749 centos-server1
_kpasswd._udp IN SRV 1 0 464 centos-server1
_kerberos.my-domain.xx. IN TXT "MY-DOMAIN.XX"
With stuff configured this way, I'm able to authenticate myself against KDC, get TGT, contact kerberized services / hosts with no problems whatsoever. However, I've noticed that I'm getting double instances of service / host tickets for every single service I connect to, one with Realm-info included, the other one without. As you can see on the example, I've got two tickets for the same principal, only slightly different:
Quote:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mhead@MY-DOMAIN.XX
Valid starting Expires Service principal
06/30/10 16:14:33 07/01/10 02:14:33 krbtgt/MY-DOMAIN.XX@MY-DOMAIN.XX
renew until 07/01/10 16:14:46
06/30/10 16:14:44 07/01/10 02:14:33 host/debian-server.my-domain.xx@
renew until 07/01/10 16:14:46
06/30/10 16:14:44 07/01/10 02:14:33 host/debian-server.my-domain.xx@MY-DOMAIN.XX
renew until 07/01/10 16:14:46
|
Why this happens I have no clue. Everything works though how it should. Later on, after investigating, I've noticed that, if I add following rows in the krb5.conf of the clients:
Code:
[domain_realm]
my-domain.xx = MY-DOMAIN.XX
.my-domain.xx = MY-DOMAIN.XX
Then I get the normal single-tickets.
However, this makes me thinking - isn't one of the purposes of the IN TXT DNS-record that I have exactly to do these mappings, so I don't have to add these [domain_realm] stanzas manually?
Any ideas?
Thanks in advance!