1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Re: kinit without dns

    From Ken Hornstein@21:1/5 to Michael B Allen on Wed Jan 24 15:34:22 2024
    Copy: kerberos@mit.edu (kerberos)

    You MIGHT be better served by turning on Kerberos tracing to see what the library is doing. Prefixing that kinit with:

    env KRB5_TRACE=/dev/stdout

    would be useful. However, assuming these are in order ...

    Protocol Length Info
    DNS 80 Standard query 0xd8af A dc1.gogo.loco
    DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
    KRB5 221 AS-REQ
    KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

    This looks like the basic exchange with the KDC did not do any DNS lookups (other than the hostname).

    DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
    DNS 154 Standard query response 0x314d No such name URI
    _kerberos.GOGO.LOCO SOA a.root-servers.net
    DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
    DNS 166 Standard query response 0xfc89 No such name SRV >_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net

    This looks like it is trying to find the name of the primary KDC. You could put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
    believe it would suppress these lookups (the preferred relation name was changed to "primary_kdc" in 1.19 but it is still supposed to fall back
    to the older name). I think that should get rid of all of the lookups
    I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary KDC).

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam Hartman@21:1/5 to Michael B Allen on Wed Jan 24 14:27:51 2024
    To: kerberos@mit.edu (kerberos)

    "Michael" == Michael B Allen <ioplex@gmail.com> writes:

    Michael> Hi Ken,

    Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
    Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.

    Last time I checked, 1.21 > 1.9.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Michael B Allen on Wed Jan 24 16:19:31 2024
    Copy: kerberos@mit.edu (kerberos)

    Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
    but the KRB5_TRACE feature was introduced in 1.9.

    Ummm ... 21 > 9, I think? :-)

    At any rate, of course I figured out the problem right after posting this ...

    Glad you figured it out.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)