no PTR is needed for TGS-Req in openjdk7?
Weijun Wang
weijun.wang at oracle.com
Tue Jul 10 13:30:57 UTC 2012
Hi Roy
In JDK 6 we canonicalize the service host name before requesting for a
service ticket. In JDK 7 we don't, for security reasons, see
http://tools.ietf.org/html/rfc4120#section-1.3. But I don't see how it
affects locating the KDC.
Another change is that we always use DNS to locate a KDC if there is
none in krb5.conf, i.e. dns_lookup_kdc's default value is now regarded true.
Can you be more specific? tcp dumps are always welcomed.
-Max
On 07/10/2012 06:08 PM, Roy Golan wrote:
> I all,
>
> In our project (www.ovirt.org) we do some kerberos authentication and
> we've seen different behavior between jdk6 and 7 in the process
> of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record
> for our KDC to run while using jdk7 we see its ignoring it.
> To check it we have put a wrong record in /etc/hosts for our KDC server,
> say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com and
> we saw that jdk6 is failing with PRINCIPAL_UKNOWN . the PRINCIPAL in
> jdk6 is 1.1.1.1/wrongkdc.example.com and with
> jdk7 is 1.1.1.1/kdc.example.com which is why it works.
>
> is this a change is by design or maybe a bug? can someone explain if
> there is no intent
> of using reverse records (PTR) for the PRINCIPAL in TGS requests?
>
> I can supply tcp dumps if that will help to shed light here.
>
> Thanks,
> Roy
>
More information about the security-dev
mailing list