Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file

4,380 views
Skip to first unread message

sandyp...@gmail.com

unread,
Dec 17, 2006, 12:15:42 AM12/17/06
to
Hi All,

My krb5.conf file lookslike:

[libdefaults]
default_realm = kerb.COM
clockskew = 300
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
kerb.cOM = {
kdc = 192.168.1.64
}

In the file above, I am specifying false values for both
"dns_lookup_kdc" and "dns_lookup_realm". My requirement is not to use
DNS for kdc and realm. When I capture the packets, there are
no DNS queries from client and AS-REQ and AS-REP are seen and I am
able to get the TGT.

If I don't specify these tags as in the below file,

[libdefaults]
default_realm = kerb.COM
clockskew = 300
[realms]
kerb.cOM = {
kdc = 192.168.1.64
}

I see that along with AS-REQ and AS-REP packets, client is sending
"Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
is replying "no such name". Does this mean, as I have not specified
dns tags in the file, client is trying to use DNS ? As my requirement
is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
false" and
"dns_lookup_realm = false".

Packet flow is for the above scenario is,
client <-> KDC AS-REQ
KDC <-> client Pre-Auth required
client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
KDC <-> client "no such name"
client <-> KDC AS-REQ
KDC <-> client AS-REP


Thanks.

Sensei

unread,
Dec 17, 2006, 3:36:56 AM12/17/06
to
On 2006-12-17 06:15:42 +0100, sandyp...@gmail.com said:

> I see that along with AS-REQ and AS-REP packets, client is sending
> "Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
> is replying "no such name". Does this mean, as I have not specified
> dns tags in the file, client is trying to use DNS ? As my requirement
> is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
> false" and
> "dns_lookup_realm = false".
>
> Packet flow is for the above scenario is,
> client <-> KDC AS-REQ
> KDC <-> client Pre-Auth required
> client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
> KDC <-> client "no such name"
> client <-> KDC AS-REQ
> KDC <-> client AS-REP

I'd say yes. It should be no harm, at least if you're not planning to
minimize the number of packets.

--
Sensei <senseiwa@Apple's mail>

Research (n.): a discovery already published by a chinese guy one month
before you, copying a russian who did it in the 60s.

sandyp...@gmail.com

unread,
Dec 17, 2006, 11:39:08 PM12/17/06
to
Hi Sensei,

> I'd say yes. It should be no harm, at least if you're not planning to
> minimize the number of packets.

Thanks for the quick reply.... I need a clarification from your reply.
Do you mean I should specify "dns_lookup_kdc = false" and
"dns_lookup_realm = false" tags as I do not want to use DNS ? or As I
have specified realm and kdc address in the file, DNS will not be used
even if I do not specify these tags ? Which will have more priority ?
Is it the specified realm and kdc address in the file or DNS ?

Thanks
sandy.

Jeffrey Altman

unread,
Dec 18, 2006, 6:49:12 AM12/18/06
to
It is not clear from the admin docs

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-admin/libdefaults.html#libdefaults

but the contents of the krb5.conf file are always used in preference to
DNS. If you have kdc entries for the realm in question, DNS will not be
queried for that realm. DNS is only queried if there are no kdc entries
for the realm in question and dns_lookup_kdc is TRUE.

dns_lookup_realm is used to indicate that DNS SRV records should be used
when there is no matching domain to realm mapping in the krb5.conf file.

Jeffrey Altman

0 new messages