Re: domain to realm mappings and DNS (probably a bug)

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

On Apr 21, 2004, at 5:17 AM, Niklas Edmundsson wrote:

>
> I'm a little confused by heimdal's behaviour regarding when to use DNS
> get the correct realm name.
>
> If I do kinit/kauth from a machine residing in the domain without
> giving the realm, it gets it right (ie. does DNS lookups):
> host.acc.umu.se:~ kauth yada
> yada@ACC.UMU.SE's Password:
>
> However, if I give it a realm it ignores the lookup and thus if I

I think you are describing correct behavior.  If you tell it what realm  
to use you don't want it doing a DNS lookup behind your back (and  
getting info from a spoofed DNS).

Note that what you describe is only an issue for kinit.  For service  
tickets the realm is based on the machine to be contacted, not your  
own, so the defaults should work even at home.

Except for occasional use it's best to put the info in your local  
krb5.conf so you don't have to worry about DNS compromises.  Then you  
can make the defaults work the way you want them to as well.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu