Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Never make anything simple and efficient when a way can be found to make it complex and wonderful.

devel / comp.protocols.kerberos / kinit without dns

SubjectAuthor
o kinit without dnsMichael B Allen

1
kinit without dns

<mailman.7.1706125533.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=458&group=comp.protocols.kerberos#458

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: iop...@gmail.com (Michael B Allen)
Newsgroups: comp.protocols.kerberos
Subject: kinit without dns
Date: Wed, 24 Jan 2024 14:45:11 -0500
Organization: TNet Consulting
Lines: 65
Message-ID: <mailman.7.1706125533.2322.kerberos@mit.edu>
References: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4301"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=R4gFTaix;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=Ms+eAzXV
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=M8iQDNehNncn2+AZg52EsgPaKLr1YDp3RdgHf4NrpeL7RYgPz4GBK+gkviNUVgyHo30bRJ5UlsaP5MMWx3TExzzUv0NfViY7Hwo0siwMZYNjBOoeXmnEAQoq0VuDJaenhv6Qbwns5On6zGfR4GEEpStf/HQTSpRlfwXfiY0L3yQoiD5L/0/bfGzG2wH515psJB2OiAP4HEnHg8T3/Jn6eBx7wY+7L3fzseY/zkCn3RnZUD1z7glHmnEWyXMImMHOSUbBNvMYmFruLE3AbDIy4nR+m6MK34KuxHXvkR/7vsfm4X+lEZVUURaFnKfBoH7nQ8wFwglwrQiwwONppnH/HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=gau7xhw3682jDAsi/T5lrlaKSqLadOSaa6BddxCe/b0=;
b=FstyonAmTilcM9UbdvpUcX7VS6Vlbfu9sFiWRSrx8IJOtJdKfVddOrZLIRdWRX+mtrQoqyBjQq/CtkLtpRdMMiaiU4G5ENBiXesVelq12QNyufv6DQfXdhUBRZAQA2yAIx5kbrNS8mLUxzl53bC+W9UYe1sQj0+DqxQUu33lfwCpIiVGlFBjk0YNpXeedW83+PfQUFIZzx/iQsLzrarW3WPZl71GpSU4S9B/JFNyTXg7WboVdPl+OmxlsDHxd0OprjGDtcByKCw556l1MCsLp02Z88pgwh8wNu1ae0PQ7mubP/vZrkCn3PyC9Qi/j7NjAObq8wPSOwYvTfWdMjqLNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.167.47) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=gau7xhw3682jDAsi/T5lrlaKSqLadOSaa6BddxCe/b0=;
b=R4gFTaixfBhi3KOhuK1LbLOysLsecBgyEBLB6uDIoanDjXCDrBlusXZofsKo8W6x93pJR3YP/UoznHEbV1P4MHAOyVtQN/ZX3cjTToj6UmU7HGOpTsNinLxrbs81bDIpIpFx5WtkF6+iuw7ls+8ZzDuV4KeyYPzgiA58VQBQ2L8=
Authentication-Results: spf=pass (sender IP is 209.85.167.47)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.167.47 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.167.47; helo=mail-lf1-f47.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1706125523; x=1706730323; darn=mit.edu;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=gau7xhw3682jDAsi/T5lrlaKSqLadOSaa6BddxCe/b0=;
b=Ms+eAzXVr6zzDTLsY2gqT3ygLtRWQy/cxgX3tzn9O9WL4IhMo+WffSd9DVVuW4EN8w
ZM4nRRx4iazLuZWNTPnFUu3SUCAseEKSkgZcAZnuUKpdQPxe26bzGdCQM7RTErb99uFe
q18RL76c3a/3kaL2TzDrSGFYZM7ZTmVjapZ36JJIOOfZ57HqueoirQ9irFvQiGzmjMSq
vZ+W0pwEU6eR0Us2HCG8wPCZYtRK4G/FpTrkqirHRLywuTPQBzjvj6DOo+RC4pQy37Fb
ppVqWnnBCcGF4HuzFd1LbSx+5zkvXZXEEh8ly0N0vu0Hg59y5KgYOFLH3trUS6wd87SQ
W4fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1706125523; x=1706730323;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=gau7xhw3682jDAsi/T5lrlaKSqLadOSaa6BddxCe/b0=;
b=Pu8v458zS7y8P+PQN3fov6CobLdZihOb5Wwnc7RZO3kdw2TA2e7/KTpCdlUPl1KxvA
/rrKWIxBjLg9RE+O0ryZGBxumeXYloYvZd9VTqcSqO016zbUqqXm+DfUuZe6xZiVFING
rjwDhgaalNyEpYf/iR18/elu4SBO3K0ba2T5ykUrvB2Os7USYdxp3joCRXJmVqDvMtlX
ds1f1BGeBShEIjXhP+t4Cag3P2EC3fj9yIGNcjv5P3myX4HHVbGl5A8BLEd3Y3swSJPx
+kBJuZdi+ox+gazSktAlxl+aA3pWJajclTayKoz+T32fnx6r3bCGnUQMIBSoH4GcrXpr
hngQ==
X-Gm-Message-State: AOJu0Yzne3a3mMZB9CmZMFsFUS6SqnrDomi4Lh2ZAWqsoLw6N1KZCN/Q
Hld2ldC/PW8huAXmr9ck/0xig7Nt0KkS3255cZjjsROkCGJlOKuCJD97ATXUZczjW9ug/6mhTfr
18UeU2MwePqCndewNiwia46dCrA1p71RNJNs=
X-Google-Smtp-Source: AGHT+IGVIwymSj5c3QI5MFYEgJJpWNY8IIv7PQVYqpKiZv7Fuxo4MuoQ0d4bmTkYOKThw8w3+ZxJxEF8paU7SqFsmM0=
X-Received: by 2002:ac2:414b:0:b0:50e:1ef0:4843 with SMTP id
c11-20020ac2414b000000b0050e1ef04843mr2432092lfi.160.1706125522717; Wed, 24
Jan 2024 11:45:22 -0800 (PST)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB4A:EE_|IA0PR01MB8280:EE_
X-MS-Office365-Filtering-Correlation-Id: 67d81abf-50a0-406d-56e0-08dc1d15021f
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: eVh839SAJsMgdbY3r/qordsoBKpn4G21RTaHyrcN46J9eQbplpacAgj6bdlVPZA92IpBUMRwyNCkG14Rlh0dr0brBgFaIBBmhaiAM9tvGA7QrcQS2EmlPAx0EPjxF1PmYuMFVxRfUwdQ643H9hvY/68Pa266+omwI7/AIRtgWzK90YsZEbLAP/i5tmF7MIhFfl2jgSrFFSP4hTcw9wPWctFqa1e+fx9NYnU/VaObhgrq5BSvyCt1k6i2wc6+NhRbM5CxtUT1pH/rcAzykOMq+yn9308CAe4HyXTnbfVBqUuWHZuDLGhEytHCzq75jGAyNcp1La0BN5u1cG0+TbB3zYce2uT6x4aQ93AZ1+eBEQrdGhEi64RUx8GGz902RHPG1vP474UTHRO2sxmxOWx8uo9z19HQDK8pNF8Cvf97JZfuqv5Gv2/pFSFGmbli0q+5SpGwxPtrGpIRJXGzJOn3B6Va76mCvpS1wAANSDq3XUegIDfiDcwi/yXzRHHmxyu7oNDCoWad8VSrVDDwjoAGblTHuk/DfibAiCtP3g3iSdSI+5pQ61rJaSeIC2kJxZjOaPaFAxgm1tF3pS19xwiTCm/ajUXKBQKwdEi/x0PwVYidZCX5XXEgWqfpXJz4ql792Q8dBS1zmO3BcptuaQXk25+f3zem8XTXZtcYuwXLu9SZ3paIQvcOt4sw1qWBYv6q
X-Forefront-Antispam-Report: CIP:209.85.167.47; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lf1-f47.google.com; PTR:mail-lf1-f47.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(136003)(346002)(39860400002)(376002)(396003)(64100799003)(61400799012)(48200799006)(451199024)(70586007)(66899024)(86362001)(5660300002)(2906002)(316002)(786003)(7116003)(42186006)(68406010)(3480700007)(76482006)(8676002)(6862004)(356005)(966005)(7636003)(66574015)(7596003)(55446002)(73392003)(498600001)(82202003)(6666004)(26005)(336012)(554374003);
DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2024 19:45:24.6582 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 67d81abf-50a0-406d-56e0-08dc1d15021f
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB4A.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR01MB8280
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAGMFw4hwaL50oe4zzxU7F2L9BVZG_DG8CuMG47utmQxQ8CBM0w@mail.gmail.com>
 by: Michael B Allen - Wed, 24 Jan 2024 19:45 UTC

Hello,

I use linux almost exclusively for everything.
DNS points to my Internet router.
However, I also have VMs running AD and various Windows instances just
for testing my software.
All of these test hosts use AD for DNS which forwards to said Internet router.

If I use the following krb5.conf with MIT krb5 packages on CentOS:

[libdefaults]
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

[realms]
GOGO.LOCO = {
kdc = dc1.gogo.loco
}

where dc1.gogo.loco is AD, trying to run kinit fails:

$ kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials

Looking at the network shows:

Protocol Length Info
DNS 80 Standard query 0xd8af A dc1.gogo.loco
DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5 221 AS-REQ
KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xe601 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xe601 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net
DNS 79 Standard query 0x37d8 URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x37d8 No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0x54e2 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0x54e2 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91 Standard query 0xc1d3 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xc1d3 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net

As you can see, kinit successfully communicates with the KDC but then
fails over to querying DNS to find one.

Is there any way to get kinit to work without DNS?

Temporarily hacking my prod machines to use DNS for test machines is not ideal.

Ideas?

Mike

--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor