From Fedora Project Wiki
(Update page for test day) |
m (Stefw moved page QA:Testcase LessBrittleKerberos resilient reverseDNS to QA:Testcase kerberos reverse dns: Clearer name) |
(No difference)
|
Revision as of 16:08, 8 May 2013
Description
Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
Setup
- Verify that your ActiveDirectory domain access works. If you don't have an Active Directory domain, you can set one up.
- You need a domain user or administrator account.
- Make sure you have krb5-workstation-1.11 or later installed.
- Make note of the the DNS name for a domain controller on your domain
$ host -t SRV _ldap._tcp.domain.example.com
- Make note of the IP address of the domain controller you chose above
$ host dc.example.com
- Now verify that the reverse DNS record for that IP address does not exist or does not match that of your domain controller.
- If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test.
- Verify that
/etc/krb5.conf
exists, and contains this line, in the[libdefaults]
section:rdns = false
- If the file does not exist, reinstall krb5-libs:
$ sudo yum reinstall krb5-libs
How to test
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user@AD.EXAMPLE.COM
- Type your domain account password
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- Now do an LDAP search against your domain controller
$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI
- You must use the exact domain controller name (as discovered in the above stages, in order for this to work).
Expected Results
- The
ldapwhoami
command should output your user name on the last line, and should not fail.$ klist
- You should see a line that contains the domain controller host name
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr
environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM