Problems with Bind-Kerberos-Windows-Linux
Jürgen Dietl
juergen.dietl at googlemail.com
Mon Dec 6 15:18:38 UTC 2010
Hello Phil,
thanx for your answer.I dont know really what the server offers because I
dont get a valid response:
Frame 2475: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits)
Ethernet II, Src: xxxxxxxxxxxxxx, Dst: Vmware_xxxxxxxxxxxxxxxxx
Internet Protocol, Src: xxxxxxxxxxxxxxxx, Dst: xxxxxxxxxxxxxxxx
Transmission Control Protocol, Src Port: domain (53), Dst Port: 60357
(60357), Seq: 1, Ack: 1390, Len: 114
Domain Name System (response)
[Request In: 2473]
[Time: 0.001913000 seconds]
Length: 112
Transaction ID: 0x43cf
Flags: 0x8080 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for
domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 1... .... = Recursion available: Server can do recursive
queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion
was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
788-ms-7.78-fb5adae.7b80ec04-febd-11df-18a0-00505699419d: type TKEY,
class IN
Name: 788-ms-7.78-fb5adae.7b80ec04-febd-11df-18a0-00505699419d
Type: TKEY (Transaction Key)
Class: IN (0x0001)
Answers
788-ms-7.78-fb5adae.7b80ec04-febd-11df-18a0-00505699419d: type TKEY,
class ANY
Name: 788-ms-7.78-fb5adae.7b80ec04-febd-11df-18a0-00505699419d
Type: TKEY (Transaction Key)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 26
Algorithm name: gss-tsig
Signature inception: Jan 1, 1970 01:00:00.000000000
Mitteleuropäische Zeit
Signature expiration: Jan 1, 1970 01:00:00.000000000
Mitteleuropäische Zeit
Mode: GSSAPI
Error: *Bad key*
The Log-File from the DNS-SUSE-Server tells me "wrong principal". Is there a
way to find out what principal it expects?
thanx a lot,
cheers,
Juergen
> GSS-API Generic Security Service Application Program Interface
>> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
>> Simple Protected Negotiation
>> negTokenInit
>> mechTypes: 3 items
>> MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
>> MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
>> MechType: 1.2.840.113554.1.2.2.3 (KRB5 - Kerberos 5 - *User to User*)
>>
>
>
>> Is this a wanted behavior?
>>
>
> Yes. That's how spnego works. I'm willing to bet the server does not
> actually *pick* u2u - but the client can do it, so offers it during
> negotiation.
>
> I can't help you with your wider question I'm afraid; I don't really
> understand what you're asking. But the user2user stuff is a red herring and
> can be ignored.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
No. Your client is using SPNego and offering u2u as a *possible* mechanism
to be negotiated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101206/e7bffc73/attachment.html>
More information about the bind-users
mailing list