[39030] in Kerberos
Re: DNS host mapping
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Oct 17 13:51:20 2021
Message-ID: <202110171748.19HHmNbY022184@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Mike Landis <darkskyanarchy@gmail.com>
In-Reply-To: <CAMZe=WAOTot=2qKLr5JRLUWsAcCMQRm39R6K=X3t5YTjDy0JCA@mail.gmail.com>
MIME-Version: 1.0
Date: Sun, 17 Oct 2021 13:48:23 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I own the domain 3c58.com (which is routable
>on the Internet, so I named the local machine Level10.3c58.com. I'd like
>kerberos to create tickets for that machine, but I have run out of ideas on
>how to get that to happen under present circumstances. Is there some way
>to convince Kerberos to look at the hosts file on windows or somehow tap
>the router's domain name server? Is this behavior a bug or intended
>security behavior?
There are a couple of details here that matter.
- Which Kerberos implementation you are using
- Which APPLICATIONS you are using
- How it is configured
- The reverse DNS records
Let's say you're using MIT Kerberos. Again, details matter here. What
is the implementation of the Kerberos KDC? If it is a Unix-based
KDC, you should have access to the logs.
_Depending on how you have things configured_, the client side Kerberos
implementation may just try to canonicalize the name based on the
forward DNS, _or_ it may also try the reverse DNS. At least for MIT
Kerberos, it calls the standard operating system calls to perform those
DNS lookups. But again the details matter; those MAY consult the local
host file, it may not. Your best best is to look at the KDC logs to
determine what name it is trying to look up, and go from there.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
