krb5

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5

Earl A. Killian
I am using the krb5-1.12.5 port that comes with openSUSE 42.3. Recently
the SuSE distro changed their krb5.conf to include

        dns_canonicalize_hostname = false
        rdns = false

This was supposedly for security, so I applied the above to my own
krb5.conf. However, this change broke kprop. On the Kerberos master host
alpha.sub.killian.com (192.168.1.5) I did

# kinit root/admin
# kprop -f KILLIAN.COM.dump -ddd beta.killian.com
kprop: Client not found in Kerberos database while getting initial ticket

I then find in the KRB5_TRACE file:

[24229] 1508275209.426788: Convert service (null) (service with host as instance) on host (null) to principal
[24229] 1508275209.426802: Remote host after reverse DNS processing: alpha
[24229] 1508275209.426814: Got service principal host/alpha@
[24229] 1508275209.426821: Initializing MEMORY:_kproptkt with default princ host/[hidden email]
[24229] 1508275209.426826: Convert service host (service with host as instance) on host beta.killian.com to principal
[24229] 1508275209.426828: Remote host after reverse DNS processing: beta.killian.com
[24229] 1508275209.426832: Got service principal host/[hidden email]
[24229] 1508275209.426842: Getting initial credentials for host/[hidden email]
[24229] 1508275209.426872: Setting initial creds service to host/[hidden email]
[24229] 1508275209.426905: Sending request (164 bytes) to KILLIAN.COM
[24229] 1508275209.426928: Resolving hostname alpha.sub.killian.com
[24229] 1508275209.427107: Sending initial UDP request to dgram 192.168.1.5:88
[24229] 1508275209.427221: Received answer (182 bytes) from dgram 192.168.1.5:88
[24229] 1508275209.427233: Response was not from master KDC
[24229] 1508275209.427242: Received error from KDC: -1765328378/Client not found in Kerberos database
[24229] 1508275209.427264: Destroying ccache MEMORY:_kproptkt

So it appears that it is not using the FQDN for the initiating host when
determining a principal (see the 4th line above where it says
"host/alpha" instead of "host/alpha.sub.killian.com").

So obviously I removed the two new "security" lines from my krb5.conf to
restore things to a working situation. However, I would like to inquire
of the mailing list how things are supposed to work when those are set
to false as in the openSUSE distro.

-Earl




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5

Benjamin Kaduk-2
On Tue, Oct 17, 2017 at 03:04:20PM -0700, Earl Killian wrote:
> So obviously I removed the two new "security" lines from my krb5.conf to
> restore things to a working situation. However, I would like to inquire
> of the mailing list how things are supposed to work when those are set
> to false as in the openSUSE distro.

Most likely, your system is configured such that (some things) think that
the local hostname is just "alpha", not the fully-qualified form.
So, the output of `hostname` and `hostname -f` are interesting, as is
the contents of /etc/hosts.

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5

Earl A. Killian
Thank you. Here are the things you requested plus a few more:

% hostname
alpha
% hostname -f
alpha.sub.killian.com
% sed -n -e '/^[^#]/p' /etc/hosts
127.0.0.1 localhost
::1             localhost ipv6-localhost ipv6-loopback
fe00::0         ipv6-localnet
ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
% dig +nocmd +noadditional +noauthority -x 192.168.1.5 | sed -n -e '/^[^;]/p'
5.1.168.192.IN-ADDR.ARPA. 28800 IN PTR alpha.sub.killian.com.
% sed -n -e '/^[^#]/p' /etc/host.conf
order hosts, bind
multi on
% sed -n -e '/^[^#]/p' /etc/nsswitch.conf
passwd: compat
group:  compat
hosts:   files mdns_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files


On 10/17/17 16:44, Benjamin Kaduk wrote:

> On Tue, Oct 17, 2017 at 03:04:20PM -0700, Earl Killian wrote:
>> So obviously I removed the two new "security" lines from my krb5.conf to
>> restore things to a working situation. However, I would like to inquire
>> of the mailing list how things are supposed to work when those are set
>> to false as in the openSUSE distro.
> Most likely, your system is configured such that (some things) think that
> the local hostname is just "alpha", not the fully-qualified form.
> So, the output of `hostname` and `hostname -f` are interesting, as is
> the contents of /etc/hosts.
>
> -Ben



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5

Greg Hudson
In reply to this post by Earl A. Killian
On 10/17/2017 06:04 PM, Earl Killian wrote:
> However, I would like to inquire
> of the mailing list how things are supposed to work when those are set
> to false as in the openSUSE distro.

Not as easily as I would like.  For the specific issue you mention, I
think the only two workarounds are:

1. Create a principal "host/alpha" and put it in keytabs and ACL files
alongside "host/alpha.killian.com".

2. Arrange for gethostname() to return the FQDN (alpha.killian.com)
instead of just "alpha".  This might have undesirable side effects as it
would be a system-wide change.

POSIX does not make it easy to get this right without risking using
insecure DNS, although there are some improvements we could make (such
as looking to see if there is exactly one search domain in _res.dnsrch,
and expanding single-component hostnames using that domain if so).
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5

Earl A. Killian
Thank you for further detail. I wish that gethostname returned a FQDN,
but since I don't know the reason that people have decided that it not
do so, I probably shouldn't go that route.

I think the problem arises from glibc implementing
gethostname/getdomainname using uname(2), and that seems difficult to
change now.

I suppose you could add something to krb5.conf to provide the default
value to append to what gethostname() returns, but that seems not
sufficiently flexible to be worth the complication. Since krb5.conf is
per-machine, I suppose you could just have it specify the host principal
to use, and ignore gethostname() altogether.

-Earl

On 10/18/17 17:42, Greg Hudson wrote:

> On 10/17/2017 06:04 PM, Earl Killian wrote:
>> However, I would like to inquire
>> of the mailing list how things are supposed to work when those are set
>> to false as in the openSUSE distro.
> Not as easily as I would like.  For the specific issue you mention, I
> think the only two workarounds are:
>
> 1. Create a principal "host/alpha" and put it in keytabs and ACL files
> alongside "host/alpha.killian.com".
>
> 2. Arrange for gethostname() to return the FQDN (alpha.killian.com)
> instead of just "alpha".  This might have undesirable side effects as it
> would be a system-wide change.
>
> POSIX does not make it easy to get this right without risking using
> insecure DNS, although there are some improvements we could make (such
> as looking to see if there is exactly one search domain in _res.dnsrch,
> and expanding single-component hostnames using that domain if so).



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos