Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file - Kerberos

This is a discussion on Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file - Kerberos ; Hi All, My krb5.conf file lookslike: [libdefaults] default_realm = kerb.COM clockskew = 300 dns_lookup_kdc = false dns_lookup_realm = false [realms] kerb.cOM = { kdc = 192.168.1.64 } In the file above, I am specifying false values for both "dns_lookup_kdc" and ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file

  1. Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file

    Hi All,

    My krb5.conf file lookslike:

    [libdefaults]
    default_realm = kerb.COM
    clockskew = 300
    dns_lookup_kdc = false
    dns_lookup_realm = false
    [realms]
    kerb.cOM = {
    kdc = 192.168.1.64
    }

    In the file above, I am specifying false values for both
    "dns_lookup_kdc" and "dns_lookup_realm". My requirement is not to use
    DNS for kdc and realm. When I capture the packets, there are
    no DNS queries from client and AS-REQ and AS-REP are seen and I am
    able to get the TGT.

    If I don't specify these tags as in the below file,

    [libdefaults]
    default_realm = kerb.COM
    clockskew = 300
    [realms]
    kerb.cOM = {
    kdc = 192.168.1.64
    }

    I see that along with AS-REQ and AS-REP packets, client is sending
    "Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
    is replying "no such name". Does this mean, as I have not specified
    dns tags in the file, client is trying to use DNS ? As my requirement
    is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
    false" and
    "dns_lookup_realm = false".

    Packet flow is for the above scenario is,
    client <-> KDC AS-REQ
    KDC <-> client Pre-Auth required
    client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
    KDC <-> client "no such name"
    client <-> KDC AS-REQ
    KDC <-> client AS-REP


    Thanks.


  2. Re: Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file

    On 2006-12-17 06:15:42 +0100, sandypossible@gmail.com said:

    > I see that along with AS-REQ and AS-REP packets, client is sending
    > "Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
    > is replying "no such name". Does this mean, as I have not specified
    > dns tags in the file, client is trying to use DNS ? As my requirement
    > is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
    > false" and
    > "dns_lookup_realm = false".
    >
    > Packet flow is for the above scenario is,
    > client <-> KDC AS-REQ
    > KDC <-> client Pre-Auth required
    > client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
    > KDC <-> client "no such name"
    > client <-> KDC AS-REQ
    > KDC <-> client AS-REP


    I'd say yes. It should be no harm, at least if you're not planning to
    minimize the number of packets.

    --
    Sensei

    Research (n.): a discovery already published by a chinese guy one month
    before you, copying a russian who did it in the 60s.


  3. Re: Need clarification on "dns_lookup_kdc" and "dns_lookup_realm" tags in krb5.conf file

    Hi Sensei,

    > I'd say yes. It should be no harm, at least if you're not planning to
    > minimize the number of packets.

    Thanks for the quick reply.... I need a clarification from your reply.
    Do you mean I should specify "dns_lookup_kdc = false" and
    "dns_lookup_realm = false" tags as I do not want to use DNS ? or As I
    have specified realm and kdc address in the file, DNS will not be used
    even if I do not specify these tags ? Which will have more priority ?
    Is it the specified realm and kdc address in the file or DNS ?

    Thanks
    sandy.


    Sensei wrote:
    > On 2006-12-17 06:15:42 +0100, sandypossible@gmail.com said:
    >
    > > I see that along with AS-REQ and AS-REP packets, client is sending
    > > "Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
    > > is replying "no such name". Does this mean, as I have not specified
    > > dns tags in the file, client is trying to use DNS ? As my requirement
    > > is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
    > > false" and
    > > "dns_lookup_realm = false".
    > >
    > > Packet flow is for the above scenario is,
    > > client <-> KDC AS-REQ
    > > KDC <-> client Pre-Auth required
    > > client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
    > > KDC <-> client "no such name"
    > > client <-> KDC AS-REQ
    > > KDC <-> client AS-REP

    >
    > I'd say yes. It should be no harm, at least if you're not planning to
    > minimize the number of packets.
    >



  4. Re: Need clarification on "dns_lookup_kdc" and "dns_lookup_realm"tags in krb5.conf file

    It is not clear from the admin docs

    http://web.mit.edu/kerberos/krb5-1.5...ml#libdefaults

    but the contents of the krb5.conf file are always used in preference to
    DNS. If you have kdc entries for the realm in question, DNS will not be
    queried for that realm. DNS is only queried if there are no kdc entries
    for the realm in question and dns_lookup_kdc is TRUE.

    dns_lookup_realm is used to indicate that DNS SRV records should be used
    when there is no matching domain to realm mapping in the krb5.conf file.

    Jeffrey Altman


    sandypossible@gmail.com wrote:
    > Hi Sensei,
    >
    >> I'd say yes. It should be no harm, at least if you're not planning to
    >> minimize the number of packets.

    > Thanks for the quick reply.... I need a clarification from your reply.
    > Do you mean I should specify "dns_lookup_kdc = false" and
    > "dns_lookup_realm = false" tags as I do not want to use DNS ? or As I
    > have specified realm and kdc address in the file, DNS will not be used
    > even if I do not specify these tags ? Which will have more priority ?
    > Is it the specified realm and kdc address in the file or DNS ?
    >
    > Thanks
    > sandy.
    >
    >
    > Sensei wrote:
    >> On 2006-12-17 06:15:42 +0100, sandypossible@gmail.com said:
    >>
    >>> I see that along with AS-REQ and AS-REP packets, client is sending
    >>> "Standard query SRV _kerberos-master._udp.kerb.com" to the KDC. and KDC
    >>> is replying "no such name". Does this mean, as I have not specified
    >>> dns tags in the file, client is trying to use DNS ? As my requirement
    >>> is not to use DNS anytine, do I have to specify "dns_lookup_kdc =
    >>> false" and
    >>> "dns_lookup_realm = false".
    >>>
    >>> Packet flow is for the above scenario is,
    >>> client <-> KDC AS-REQ
    >>> KDC <-> client Pre-Auth required
    >>> client <-> KDC "Standard query SRV _kerberos-master._udp.kerb.com"
    >>> KDC <-> client "no such name"
    >>> client <-> KDC AS-REQ
    >>> KDC <-> client AS-REP

    >> I'd say yes. It should be no harm, at least if you're not planning to
    >> minimize the number of packets.
    >>

    >


+ Reply to Thread