no PTR is needed for TGS-Req in openjdk7? (original) (raw)
Weijun Wang weijun.wang at oracle.com
Tue Jul 10 13:30:57 UTC 2012
- Previous message (by thread): no PTR is needed for TGS-Req in openjdk7?
- Next message (by thread): no PTR is needed for TGS-Req in openjdk7?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Roy
In JDK 6 we canonicalize the service host name before requesting for a service ticket. In JDK 7 we don't, for security reasons, see http://tools.ietf.org/html/rfc4120#section-1.3. But I don't see how it affects locating the KDC.
Another change is that we always use DNS to locate a KDC if there is none in krb5.conf, i.e. dns_lookup_kdc's default value is now regarded true.
Can you be more specific? tcp dumps are always welcomed.
-Max
On 07/10/2012 06:08 PM, Roy Golan wrote:
I all,
In our project (www.ovirt.org) we do some kerberos authentication and we've seen different behavior between jdk6 and 7 in the process of doing the TGS-Req to the KDC. with jdk6, wh must have a PTR record for our KDC to run while using jdk7 we see its ignoring it. To check it we have put a wrong record in /etc/hosts for our KDC server, say "1.1.1.1 wrongkdc.example.com" while it should be kdc.example.com and we saw that jdk6 is failing with PRINCIPALUKNOWN . the PRINCIPAL in jdk6 is 1.1.1.1/wrongkdc.example.com and with jdk7 is 1.1.1.1/kdc.example.com which is why it works. is this a change is by design or maybe a bug? can someone explain if there is no intent of using reverse records (PTR) for the PRINCIPAL in TGS requests? I can supply tcp dumps if that will help to shed light here. Thanks, Roy
- Previous message (by thread): no PTR is needed for TGS-Req in openjdk7?
- Next message (by thread): no PTR is needed for TGS-Req in openjdk7?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]