[Freeipa-users] Problem with KRB DNS discovery (i think)

Nalin Dahyabhai nalin at redhat.com
Wed Nov 25 18:32:38 UTC 2009 

On Wed, Nov 25, 2009 at 06:42:16PM +0100, Tomasz 'Zen' Napierala wrote:
> Dnia 2009-11-25, śro o godzinie 15:50 +0100, Tomasz Z. Napierala pisze:
> > Hi,
> > 
> > I'm getting problems installing clients with default ipa-client-install
> > values. Relam and domain are both discovered successfully but then after
> > issuing kinit admin I'm getting:
> > 
> > kinit(v5): Cannot resolve network address for KDC in realm QXLTECH while
> > getting initial credentials
> > 
> > My krb5.conf looks like this:
> > [libdefaults]
> >   default_realm = QXLTECH
> >   dns_lookup_realm = true
> >   dns_lookup_kdc = true
> >   ticket_lifetime = 24h
> >   forwardable = yes
> > 
> > [domain_realm]
> >   .dc2 = QXLTECH
> >   dc2 = QXLTECH
[snip]
> I dogged little bit deeper and straced kinit. It looks like kinit is
> picking up wrong domain name.
> My realm is QXLTECH but domain name .dc2 or .dc3 Kinit is requesting
> _kerberos._tcp.QXLTECH
> How can I change it?

I wouldn't recommend trying, not exactly.  The client's doing what the
standards say it should, but that might be confusing in cases where the
realm name and domain name are different because the query is based on
the realm name and not the domain name.  To understand it, it's useful
to know that there are two kinds of DNS queries being made here:

1. Kerberos is using DNS to figure out the name of the realm to which a
   given host belongs, and for that it's going to use the hostname and
   domain name to form its queries.  For the configuration you provided,
   the records in DNS would probably look something like this:
     _kerberos.dc2.                 IN TXT "QXLTECH"

2. Kerberos is using DNS to get the hostname of a KDC for the realm.
   The important detail is that it uses the realm name and not a domain
   name to form the query, and I suspect that's what's missing in your
   setup.  The records in DNS are regular SRV records, and they'd
   probably look like this:
     _kerberos._udp.qxltech.        IN SRV 0 0  88 kdc-host.dc2.
     _kerberos._tcp.qxltech.        IN SRV 0 0  88 kdc-host.dc2.
     _kerberos-master._udp.qxltech. IN SRV 0 0  88 kdc-host.dc2.
     _kerberos-master._tcp.qxltech. IN SRV 0 0  88 kdc-host.dc2.
     _kpasswd._udp.qxltech.         IN SRV 0 0 464 kdc-host.dc2.
     _kpasswd._tcp.qxltech.         IN SRV 0 0 464 kdc-host.dc2.

It's pretty common to have the DNS domain name and the Kerberos realm
name differ only by case (for example, "example.com" as a domain name,
and "EXAMPLE.COM" as the realm), or to have the domain name look like a
subdomain of the realm name (for example, "devel.example.com" for the
domain name, "EXAMPLE.COM" for the realm) so most people end up not
having to care that the second case uses the realm rather than the DNS
domain name.  But it looks as though, in your configuration, you do.

HTH,

Nalin

More information about the Freeipa-users mailing list