dns_lookup_kdc

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

dns_lookup_kdc

Victor Sudakov
Dear Colleagues,

I'm trying to use a DNS TXT record to lookup domain to realm mappings:

$ dig +short txt _kerberos.mydomain.example
"FOO.EXAMPLE"
$ dig +short srv _kerberos._udp.mydomain.example
20 0 88 big.mydomain.example.
10 0 88 small.mydomain.example.

However, a Kerberos client, after correctly discovering its realm as
"FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.

Is it expected behaviour? I supposed it should be looking up
_kerberos._udp.mydomain.example.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Harald Barth-2
> However, a Kerberos client, after correctly discovering its realm as
> "FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.

Does it matter? Isn't the lookup case insensitive anyway?

$ dig +short _kerberos._udp.nada.kth.se srv
0 0 88 kdc0.nada.kth.se.
1 0 88 houting.pdc.kth.se.
2 0 88 kinilaw.pdc.kth.se.
$ dig +short _kerberos._udp.NADA.KTH.SE srv
2 0 88 kinilaw.pdc.kth.se.
0 0 88 kdc0.nada.kth.se.
1 0 88 houting.pdc.kth.se.
$ dig +short _KERBEROS._UDP.NADA.KTH.SE srv
1 0 88 houting.pdc.kth.se.
2 0 88 kinilaw.pdc.kth.se.
0 0 88 kdc0.nada.kth.se.

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Andrew Bartlett
In reply to this post by Victor Sudakov
On Thu, 2016-09-15 at 11:11 +0700, Victor Sudakov wrote:

> Dear Colleagues,
>
> I'm trying to use a DNS TXT record to lookup domain to realm
> mappings:
>
> $ dig +short txt _kerberos.mydomain.example
> "FOO.EXAMPLE"
> $ dig +short srv _kerberos._udp.mydomain.example
> 20 0 88 big.mydomain.example.
> 10 0 88 small.mydomain.example.
>
> However, a Kerberos client, after correctly discovering its realm as
> "FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.
>
> Is it expected behaviour? I supposed it should be looking up
> _kerberos._udp.mydomain.example. 

Are you looking for dns_lookup_realm, not dns_lookup_kdc?

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Victor Sudakov
In reply to this post by Harald Barth-2
Harald Barth wrote:
> > However, a Kerberos client, after correctly discovering its realm as
> > "FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.
>
> Does it matter? Isn't the lookup case insensitive anyway?

Harald,

I'm not talking about case. I'm asking if it should be looking up
_kerberos._udp.mydomain.example or _kerberos._udp.foo.example

Please pay attention that the DNS domain and the realm name are different.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Victor Sudakov
In reply to this post by Andrew Bartlett
Andrew Bartlett wrote:

> >
> > I'm trying to use a DNS TXT record to lookup domain to realm
> > mappings:
> >
> > $ dig +short txt _kerberos.mydomain.example
> > "FOO.EXAMPLE"
> > $ dig +short srv _kerberos._udp.mydomain.example
> > 20 0 88 big.mydomain.example.
> > 10 0 88 small.mydomain.example.
> >
> > However, a Kerberos client, after correctly discovering its realm as
> > "FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.
> >
> > Is it expected behaviour? I supposed it should be looking up
> > _kerberos._udp.mydomain.example. 
>
> Are you looking for dns_lookup_realm, not dns_lookup_kdc?

I'm looking for the algorithm of KDC discovery in a situation where
the DNS domain and Kerberos realm are different.

Should it look up _kerberos._udp.dnsdomain or _kerberos._udp.realm ?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Harald Barth-2

To get the realm for a host, the code tries like this:

_kerberos.host.x.y.top TXT
_kerberos.x.y.top TXT
_kerberos.y.top TXT
_kerberos.top TXT

Example from habanero (my black box):

$ dig +short _kerberos.habanero.pdc.kth.se txt

nope :(

$ dig +short _kerberos.pdc.kth.se txt
"NADA.KTH.SE"

yes :)

Then to find the KDC:

$ dig +short _kerberos._udp.NADA.KTH.SE srv
0 0 88 kdc0.nada.kth.se.
1 0 88 houting.pdc.kth.se.
2 0 88 kinilaw.pdc.kth.se.

and if there is no contact by UDP, then maybe even

$ dig +short _kerberos._tcp.NADA.KTH.SE srv
2 0 88 kinilaw.pdc.kth.se.
0 0 88 kdc0.nada.kth.se.
1 0 88 houting.pdc.kth.se.

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Victor Sudakov
Harald Barth wrote:

>
> $ dig +short _kerberos.pdc.kth.se txt
> "NADA.KTH.SE"
>
> yes :)
>
> Then to find the KDC:
>
> $ dig +short _kerberos._udp.NADA.KTH.SE srv

So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.

Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.

In this case, _kerberos._udp.${REALM} should be available in DNS,
which is not the case in my situation.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Harald Barth-2
> So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.

My impression is that first _kerberos.$DNS_SUFFIX is looked up and then that realm is used
to look up _kerberos._udp.$REALM, however one would need to read more to figure out what
was _intended_ and what the application _actually_does_. There is some built-in guessing
in some implementations as well like upcasing the DNS_SUFFIX and trying if that's a REALM.

> Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.

Hm. Maybe I should turn on some debugging in my resolvers and look if someone asks
for _kerberos._udp.pdc.kth.se but that might be the case if someone wrongly types
kinit [hidden email]. Sigh.

Sorry about first confusing your question to be about case.

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Benjamin Kaduk-2
In reply to this post by Victor Sudakov
On Thu, 15 Sep 2016, Victor Sudakov wrote:

> Harald Barth wrote:
>
> >
> > $ dig +short _kerberos.pdc.kth.se txt
> > "NADA.KTH.SE"
> >
> > yes :)
> >
> > Then to find the KDC:
> >
> > $ dig +short _kerberos._udp.NADA.KTH.SE srv
>
> So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.
>
> Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.

Nope, the realm is explicitly treated as a DNS (suffix) name for the
lookup of KDC addresses.

See https://tools.ietf.org/html/rfc4120#section-7.2.3.2

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Jeffrey Altman-2
In reply to this post by Victor Sudakov
On 9/15/2016 12:11 AM, Victor Sudakov wrote:
> Dear Colleagues,
>
> I'm trying to use a DNS TXT record to lookup domain to realm mappings:
>
> $ dig +short txt _kerberos.mydomain.example
> "FOO.EXAMPLE"

This indicates that the Kerberos realm for "mydomain.example" is
"FOO.EXAMPLE".   The Kerberos library now needs to find the KDCs for
FOO.EXAMPLE and issues

> $ dig +short srv _kerberos._udp.mydomain.example
> 20 0 88 big.mydomain.example.
> 10 0 88 small.mydomain.example.

to obtain the list of KDC addresses that support the UDP protocol.
>
> However, a Kerberos client, after correctly discovering its realm as
> "FOO.EXAMPLE", is trying to lookup _kerberos._udp.FOO.EXAMPLE etc.
>
> Is it expected behaviour? I supposed it should be looking up
> _kerberos._udp.mydomain.example.

The behavior as observed is correct.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dns_lookup_kdc

Victor Sudakov
In reply to this post by Benjamin Kaduk-2
Benjamin Kaduk wrote:

> > >
> > > $ dig +short _kerberos.pdc.kth.se txt
> > > "NADA.KTH.SE"
> > >
> > > yes :)
> > >
> > > Then to find the KDC:
> > >
> > > $ dig +short _kerberos._udp.NADA.KTH.SE srv
> >
> > So, it looks up _kerberos._udp.${REALM}, not _kerberos._udp.${DNS_SUFFIX}.
> >
> > Too bad. I expected that the _kerberos._udp.${DNS_SUFFIX} would do the job.
>
> Nope, the realm is explicitly treated as a DNS (suffix) name for the
> lookup of KDC addresses.
>
> See https://tools.ietf.org/html/rfc4120#section-7.2.3.2

Pity. The ${REALM} is just a realm, I did not want to support a special
DNS zone of the same name with the realm, but now I see I have to.

Thanks for clarifying anyway.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]