[Freeipa-devel] Determine KDC for a website

[Adam Young]

On 03/18/2011 10:53 AM, Nalin Dahyabhai wrote:
> On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote:
>> I'm trying to figure out what should happen in the following case;
>>
>> A user goes to a website that they've never visited before.
>> The site is using Kerberos, and thus the browser gets back a
>> "Negotiate" response.
>>
>> At this point, the browser chops the hostname off the URL and
>> requests the TXT record for "_kerberos."+domain
>> This gives the browser back the REALM.
> The client will only consult DNS here if "dns_lookup_realm" is enabled
> in the [libdefaults] section of your krb5.conf.
>
> If the client's KDC is capable of issuing referrals and "knows" that the
> web server host is a member of a particular realm, then the client will
> trust that its KDC is pointing it in the right direction, regardless of
> what's in DNS.
>
>> Now, there seems to be an understanding that the default REALM to
>> domain mapping should be  REALM.to_lower.
>>
>> Now to find the KDC for the server, I can do a DNS query  for the
>> SRV record
>>
>> "_kerberos._udp." + domain.
> Section 7.2.3 of rfc4120 describes this in more detail.
>
>> However, when I have a krb5 conf setup that does not explicitly set
>> the kdc value below....
>>
>> [realms]
>>   AYOUNG.BOSTON.DEVEL.REDHAT.COM = {
>>    kdc = ipa14.ayoung.boston.devel.redhat.com:88
>> }
>>
>> ...I cannot kinit against the realm AYOUNG.BOSTON.DEVEL.REDHAT.COM.
>> I've confirmed that I can query my IPA server's DNS server and get
>> the appropriate records.
>>
>> Is there a step I am missing, or is this lookup no supported in the
>> library?  Is there some way I can better debug this?
> Is your client configured to consult DNS in this way?  Specifically, is
> "dns_lookup_kdc" enabled in the [libdefaults] section?

Both dns_lookup_kdc and dns_lookup_realm were set to false. Once I set 
them to true, it worked.  Thanks.
> HTH,
>
> Nalin