From Fedora Project Wiki
(Categories) |
No edit summary |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description= Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | |description=Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | ||
* The client does not present a domain name to authenticate against. | * The client does not present a domain name to authenticate against. | ||
* Reverse DNS is enabled in /etc/krb5.conf | * Reverse DNS is enabled in /etc/krb5.conf | ||
* The server does not have a PTR record on the DNS server. | * The server does not have a PTR record on the DNS server. | ||
|setup= | |setup= | ||
# [[ | # Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test. | ||
# You need a | # You need a realm user or administrator account. | ||
# | # Make sure you have krb5-workstation-1.11 or later installed. You also need openldap-clients in order to use the 'ldapwhoami' command. | ||
#: <pre>$ | # Make note of the the DNS name for a domain controller on your domain | ||
# | #: <pre>$ host -t SRV _kerberos._udp.domain.example.com</pre> | ||
# Make note of the IP address of the domain controller you chose above: | |||
#: <pre>$ host dc.example.com</pre> | |||
# Now verify that the reverse DNS record for that IP address '''does not exist''' or '''does not match''' that of your domain controller: | |||
#: <pre>$ host -t PTR X.X.X.X</pre> | |||
#: If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test. | |||
# Verify that <code>/etc/krb5.conf</code> exists, and contains this line, in the <code>[libdefaults]</code> section: | |||
#: <pre>rdns = false</pre> | |||
#: If the file does not exist, reinstall krb5-libs: | |||
#: <pre>$ sudo yum reinstall krb5-libs</pre> | |||
|actions= | |actions= | ||
# Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name. | # Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name. | ||
#: <pre>$ kinit | #: <pre>$ kinit user@AD.EXAMPLE.COM</pre> | ||
#* Type your domain account password | |||
#* Make sure that you capitalize the domain name. | #* Make sure that you capitalize the domain name. | ||
#* If the above fails with 'Preauthentication failed' then you probably typed the wrong password. | #* If the above fails with 'Preauthentication failed' then you probably typed the wrong password. | ||
# | # Now do an LDAP search against your domain controller | ||
#: <pre>$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI</pre> | |||
#: You must use the exact domain controller name (as discovered in the above stages, in order for this to work). | |||
|results= | |results= | ||
# | # The <code>ldapwhoami</code> command should output your user name on the last line, and should not fail. | ||
#:<pre>$ klist</pre> | #:<pre>$ klist</pre> | ||
#* You should see a line that | #* You should see a line that contains the domain controller host name | ||
}} | }} | ||
== Troubleshooting == | == Troubleshooting == | ||
If you want to file a bug related to this issue, run the command with the the <code>KRB5_TRACE=/dev/stderr</code> environment variable, like this: | |||
<pre>$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM</pre> | |||
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]] | [[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]] | ||
Latest revision as of 11:09, 9 May 2013
Description
Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
Setup
- Perform prerequisite setup before you run this test.
- You need a realm user or administrator account.
- Make sure you have krb5-workstation-1.11 or later installed. You also need openldap-clients in order to use the 'ldapwhoami' command.
- Make note of the the DNS name for a domain controller on your domain
$ host -t SRV _kerberos._udp.domain.example.com
- Make note of the IP address of the domain controller you chose above:
$ host dc.example.com
- Now verify that the reverse DNS record for that IP address does not exist or does not match that of your domain controller:
$ host -t PTR X.X.X.X
- If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test.
- Verify that
/etc/krb5.confexists, and contains this line, in the[libdefaults]section:rdns = false
- If the file does not exist, reinstall krb5-libs:
$ sudo yum reinstall krb5-libs
How to test
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user@AD.EXAMPLE.COM
- Type your domain account password
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- Now do an LDAP search against your domain controller
$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI
- You must use the exact domain controller name (as discovered in the above stages, in order for this to work).
Expected Results
- The
ldapwhoamicommand should output your user name on the last line, and should not fail.$ klist
- You should see a line that contains the domain controller host name
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM