[32768] in Kerberos
Re: What are the issues with dns_lookup_realm ?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Mon Oct 4 17:27:49 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kerberos@mit.edu
Message-ID: <4CAA46C9.3070504@secure-endpoints.com>
Date: Mon, 04 Oct 2010 17:27:37 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <20101004211137.GA7523@talktalkplc.com>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0866165704=="
Errors-To: kerberos-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0866165704==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigCC8DBC4CFAC41779F87B2112"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCC8DBC4CFAC41779F87B2112
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 10/4/2010 5:11 PM, Brian Candler wrote:
> On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
>> On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
>>> (1) What DNS lookups are made by the workstation and/or the server wh=
en a
>>> connection takes place?
>>
>> pc.foo.example.com looks up a TXT record for
>> _kerberos.server.bar.example.com.
>
> OK, that makes sense. The server doesn't care anything about the hostna=
me/IP
> of the client, as the client has already authenticated into a particula=
r
> realm. But the client has to work out which realm the server belongs t=
o,
> and to trade tickets as necessary to prove its identity to the server i=
n
> another realm.
>
> Which brings me to an aside: does this mean that all communication is
> initiated by the client to each KDC, except for the final server to its=
KDC?=20
> There's no KDC to KDC traffic? =20
there is no server to kdc traffic. it is all client to kdc.
> I'm particularly interested whether I can
> make the following scenario work with a NAT/PAT firewall:
>
> NAT>
> +-+
> client ----------------> | | ----------------> server
> | |
> | |
> KDC for | | KDC for
> FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM
> +-+
>
> If the communication goes
> client -> KDC FOO
> client -> KDC BAR
> server -> KDC BAR
> then I think it should work. I'll need a more complex testbed to try it=
out
> though :-)
>
client->server
client -> KDC FOO
client -> KDC BAR
client -> server
--------------enigCC8DBC4CFAC41779F87B2112
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJMqkbJAAoJENxm1CNJffh4/00H/R/kq6k/2XO+EHBhBFYKpiVq
xd1HSSdUn92heYY8a+y1DCkeTbODarGI+pt2ulVt5mjwstx0foQ8HyZ1TA62agos
81RZpKxLW7J1y0w6ItUqTYCsJlVP0cy/bAf380O9cL3ozlpo8ZCUCuBvFxEJ3byk
QkC6560Ivb5deJx1p3mXDyi32LLF9LNOv0rMBuEunahQ4SEGu9CevTLBp6lR9Knl
CrAG2t6hrU8I3eq/a01EcMIM9DaNirFkpR5uuZeiw1KQUIjeHBKP2QRcecvqm4DN
0C1Drb4iC+BcI8a0LVXTauxnzqaYB1UBw/9u1DcC1hdCZr7cW6ek9pA/wahMBY8=
=+cIU
-----END PGP SIGNATURE-----
--------------enigCC8DBC4CFAC41779F87B2112--
--===============0866165704==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0866165704==--
