[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Heimdal and IPv6
On "Sat, 25 Oct 2008 16:27:38 +0100",
Roy Marples <roy%marples.name@localhost> wrote:
>I've installed NetBSD-4.99.73 on an AMD64 server, correctly configured
>as an IPv4 and IPv6 gateway.
>As Heimdal comes in the base system, I played around a little and have
>it working sweet except for one details - kerberos fails over IPv6
>$ telnet -ax ip6.marples.name
>Connected to ip6.marples.name.
>Escape character is '^]'.
>[ Trying KERBEROS5 ... ]
>[ Kerberos V5 refuses authentication because Read req failed: Key table
>entry not found ]
I'm guessing here that "ip6.marples.name" isn't the actual hostname of
the host in question, and that the name used over IPv4 is. If this is
the case, then this is normal behavior for Kerberos. With Kerberos (or
at least all of the variants I've worked with) a host has One True
Name and it should point to all the A and AAAA addresses for that
machine that the kerberized apps listen on.
># ktutil l
>Vno Type Principal
> 1 des-cbc-md5 host/ip6.marples.name%MARPLES.NAME@localhost
> 1 des-cbc-md4 host/ip6.marples.name%MARPLES.NAME@localhost
> 1 des-cbc-crc host/ip6.marples.name%MARPLES.NAME@localhost
> 1 aes256-cts-hmac-sha1-96 host/ip6.marples.name%MARPLES.NAME@localhost
> 1 des3-cbc-sha1 host/ip6.marples.name%MARPLES.NAME@localhost
> 1 arcfour-hmac-md5 host/ip6.marples.name%MARPLES.NAME@localhost
>$ host ip6.marples.name
>ip6.marples.name has IPv6 address fee1::209:5bff:fe84:887d
>$ host fee1::209:5bff:fe84:887d
>domain name pointer ip6.marples.name.
This looks like the problem. The host lookup of the hostname should
return all addresses for the machine. And the lookup of each address
needs to return the hostname of the machine. If you're looking up an
alternate name for the host, it should be okay with it returning
only one or some of the addresses, but each address must reverse
lookup to the actual hostname.
>Adding the principle host/fee1::209:5bff:fe84:887d then gives
>[ Kerberos V5 refuses authentication because Read req failed: Decrypt
>integrity check failed ]
This is expected; host only works with names, not addresses.
Change the reverse lookups to point to the actual hostname and add the
rest of the A and AAAA records to the actual hostname's entry.
Also, if you've done any redundant records in /etc/hosts, make sure
>Worth filing a PR?
Doubt it. This seems more like something that should go in the
Main Index |
Thread Index |