Kerberos on Mac

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos on Mac

Matt Darwin
I’m an application developer trying to get my code to talk to a Hortonworks cluster using Kerberos.

My entire team of about 20 developers uses a linux VM for this, and it works fine.  I have a Mac and would like to use it for my development, but it won’t connect to the cluster.  When I run a linux VM on my Mac and try it from there, it works fine.  Two other developers report that they spent a couple of days trying to get it to work on Mac, and even asked friends who worked for Apple, before they gave up and switched to a linux VM.


I’ve written a detailed description of the problem on stack overflow : http://stackoverflow.com/questions/43685086/
Summary:
Zookeeper client reports "Server not found in Kerberos database (7) - UNKNOWN_SERVER"
All config files are identical between Mac and Linux.  
Reverse DNS of the server FQDN works fine on both linux and Mac.
Kinit and klist indicate kerberos is working fine.
Installing latest version via home-brew appears to make no difference

Only one answer on SO, suggesting that it could be something to do with DNS.

I just thought I’d try one final time, before I conclude that Kerberos and Mac simply aren’t compatible, and revert to using a Linux VM.

Help us [hidden email], you’re our only hope!



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos on Mac

Greg Hudson
On 05/12/2017 11:28 AM, Matt Darwin wrote:
> I’ve written a detailed description of the problem on stack overflow : http://stackoverflow.com/questions/43685086/

I read this, and I don't see in there the server principal name in the
TGS request on macOS and on Linux.  You might be able to obtain that
with wireshark or similar if you can't get it out of the JVM.  That
information, together with knowledge of your DNS configuration, might
provide a hint as to what's going on.

Note that the JVM has its own Kerberos implementation, which is separate
from MIT krb5, Heimdal, or the macOS fork of Heimdal.  (I believe it's
possible to use a shim to force it to call out to the C library, but
from the stack trace it doesn't appear that you're doing that.)  So the
output you're getting from krb5-config --version is irrelevant, as is
using brew to install a newer C library.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos on Mac

Matt Darwin
Hi Glenn, Greg,

Thanks for your input.

I’ve now done some debugging with Wireshark and found what I believe to be
the smoking gun:

So it looks like the client is sending

oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com

as the SnameString (presumably the SPN), when it should be sending:

d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com

I’ve updated the ticket with the details:
http://stackoverflow.com/questions/43685086

So question is, how do I persuade the JVM built-in kerberos client to
change the way it looks up server hosts?  Or is there genuinely a DNS
change required?

Bear in mind I have the following /etc/hosts entry:
10.252.134.51  d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com

Thanks,

Matt

On 12 May 2017 at 16:40, Greg Hudson <[hidden email]> wrote:

> On 05/12/2017 11:28 AM, Matt Darwin wrote:
> > I’ve written a detailed description of the problem on stack overflow :
> http://stackoverflow.com/questions/43685086/
>
> I read this, and I don't see in there the server principal name in the
> TGS request on macOS and on Linux.  You might be able to obtain that
> with wireshark or similar if you can't get it out of the JVM.  That
> information, together with knowledge of your DNS configuration, might
> provide a hint as to what's going on.
>
> Note that the JVM has its own Kerberos implementation, which is separate
> from MIT krb5, Heimdal, or the macOS fork of Heimdal.  (I believe it's
> possible to use a shim to force it to call out to the C library, but
> from the stack trace it doesn't appear that you're doing that.)  So the
> output you're getting from krb5-config --version is irrelevant, as is
> using brew to install a newer C library.
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos on Mac

Greg Hudson
On 05/15/2017 06:43 AM, Matt Darwin wrote:
> So it looks like the client is sending
>
> oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
>
> as the SnameString (presumably the SPN), when it should be sending:
>
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com

I don't appear to have access to your DNS information from here.  My
guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
result of a PTR query on the IP address of the server, while
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
name.

If I'm right about that, what you're looking for is a way to get the JVM
Kerberos implementation to suppress the reverse DNS lookup when
canonicalizing the server name.  In MIT krb5, that would be accomplished
with the "rdns" setting in krb5.conf; for details, see:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html

It's possible that the same setting might work for the Java
implementation, but I'm not certain.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos on Mac

Todd Grayson
I would work to get forward/reverse DNS consistent rather than attempting
to configure around this.

But for reference's sake, the JGSS catalogs its supported settings is here:
"Supported krb5.conf Settings"
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html

rdns is not available, there is a "noaddresses" but that seems to be more
for NAT handling.


On Mon, May 15, 2017 at 10:56 AM, Greg Hudson <[hidden email]> wrote:

> On 05/15/2017 06:43 AM, Matt Darwin wrote:
> > So it looks like the client is sending
> >
> > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
> >
> > as the SnameString (presumably the SPN), when it should be sending:
> >
> > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
>
> I don't appear to have access to your DNS information from here.  My
> guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
> result of a PTR query on the IP address of the server, while
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
> name.
>
> If I'm right about that, what you're looking for is a way to get the JVM
> Kerberos implementation to suppress the reverse DNS lookup when
> canonicalizing the server name.  In MIT krb5, that would be accomplished
> with the "rdns" setting in krb5.conf; for details, see:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
>
> It's possible that the same setting might work for the Java
> implementation, but I'm not certain.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos