no PTR is needed for TGS-Req in openjdk7?

Roy Golan rgolan at redhat.com
Tue Jul 10 23:31:14 PDT 2012


On 07/10/2012 04:30 PM, Weijun Wang wrote:
> Hi Roy
>
> In JDK 6 we canonicalize the service host name before requesting for a 
> service ticket. In JDK 7 we don't, for security reasons, see 
> http://tools.ietf.org/html/rfc4120#section-1.3. But I don't see how it 
> affects locating the KDC.
>

> Another change is that we always use DNS to locate a KDC if there is 
> none in krb5.conf, i.e. dns_lookup_kdc's default value is now regarded 
> true.
>
> Can you be more specific? tcp dumps are always welcomed.
>
Attached 2 dumps for each jdk.

My krb5.conf has dns_lookup_kdc = true and my KDC is also specified in 
the domain section.

We have an active directory server which is also the DNS server. The SRV 
records are all fine and point to the right KDC and LDAP.

Resolving the KDC address is not a problem but we must have back 
resolving too (as for jdk6...). To do that I have put a record in my 
/etc/hosts 10.35.64.1 xxqa1.qa.lab###. I'm intentionally putting a wrong 
record off course, just to proof the behavior.

look at the dumps and you will see that jdk6 used the record in 
/etc/hosts in the KDC_REQ_BODY  so the request is for server 
ldap/xxqa1.qa.lab### and jdk7 just uses the correct ldap/qa1.qa.lab####



> -Max
>
> On 07/10/2012 06:08 PM, Roy Golan wrote:
>> I all,
>>
>> In our project (www.ovirt.org) we do some kerberos authentication and
>> we've seen different behavior between jdk6 and 7 in the process
>> of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record
>> for our KDC to run while using jdk7 we see its ignoring it.
>> To check it we have put a wrong record in /etc/hosts for our KDC server,
>> say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com 
>> and
>> we saw that jdk6 is failing with PRINCIPAL_UKNOWN . the PRINCIPAL in
>> jdk6 is 1.1.1.1/wrongkdc.example.com and with
>> jdk7 is 1.1.1.1/kdc.example.com which is why it works.
>>
>> is this a change is by design or maybe a bug? can someone explain if
>> there is no intent
>> of using reverse records (PTR) for the PRINCIPAL in TGS requests?
>>
>> I can supply tcp dumps if that will help to shed light here.
>>
>> Thanks,
>> Roy
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdk7.kerberos.cap
Type: application/vnd.tcpdump.pcap
Size: 7041 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/security-dev/attachments/20120711/50fd5c93/jdk7.kerberos.cap 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdk6.kerberos.cap
Type: application/vnd.tcpdump.pcap
Size: 5807 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/security-dev/attachments/20120711/50fd5c93/jdk6.kerberos.cap 


More information about the security-dev mailing list