[19920] in Kerberos_V5_Development
Re: Logic behind lib/krb5/os/k5_sendto()
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F)
Fri Apr 19 04:49:37 2019
Message-ID: <a65b5a2715f9cfcd6d1a715227cc6df0015bbac9.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?=
=?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?=
<dilyan.palauzov@aegee.org>
To: Greg Hudson <ghudson@mit.edu>, krbdev@mit.edu
Date: Fri, 19 Apr 2019 08:49:15 +0000
In-Reply-To: <05104129-9364-8d63-7266-3444c28545d1@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Greg,
thank for your answers. On Monday I asked, if k5_sendto receives an answer from a KDC, that the realm is non-local,
does it retry to the other KDCs, here asking the same process over a different transport protocol.
You answered, that on a client referral (KDC_ERR_WRONG_REALM) answer, k5_sendto() will return the error response, and
the higher-level logic will (if canonicalization is enabled) retry with the uppercased domain, which will contact the
same KDC.
If kdb5kdc determines that the realm is non local and no canonicalization is done or referrals are issued, does the
client / k5_sendto() retry asking other KDCs, in my case asking the same process over a different transport (UPD→TCP)?
Regards
Дилян
On Thu, 2019-04-18 at 17:48 -0400, Greg Hudson wrote:
> On 4/18/19 5:08 PM, Дилян Палаузов wrote:
> > Does krb5kdc return KDC_ERR_WRONG_REALM?
>
> The MIT KDC only returns KDC_ERR_WRONG_REALM if it looks up the client
> principal and gets a realm referral from the database. This typically
> requires a third-party database module like Samba or FreeIPA.
>
> > Does canonicalizaiton only work if the host where kinit is called has the right dns-domain (so no canonicalization
> > happens, if host ab.cd.ef.gh calls “kinit ij@example.org”?
>
> The client hostname doesn't normally have an impact on AS requests.
>
> > Does the cache also store error answers, like answers about non existing users and answers about NON-LOCAL realms?
>
> Yes; it just maps request packets to reply packets, so any kind of reply
> packet is cached.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
