no PTR is needed for TGS-Req in openjdk7?
Roy Golan
rgolan at redhat.com
Tue Jul 10 10:08:45 UTC 2012
I all,
In our project (www.ovirt.org) we do some kerberos authentication and
we've seen different behavior between jdk6 and 7 in the process
of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record
for our KDC to run while using jdk7 we see its ignoring it.
To check it we have put a wrong record in /etc/hosts for our KDC server,
say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com and
we saw that jdk6 is failing with PRINCIPAL_UKNOWN . the PRINCIPAL in
jdk6 is 1.1.1.1/wrongkdc.example.com and with
jdk7 is 1.1.1.1/kdc.example.com which is why it works.
is this a change is by design or maybe a bug? can someone explain if
there is no intent
of using reverse records (PTR) for the PRINCIPAL in TGS requests?
I can supply tcp dumps if that will help to shed light here.
Thanks,
Roy
More information about the security-dev
mailing list