From Fedora Project Wiki
m (Stefw moved page QA:Testcase LessBrittleKerberos resilient reverseDNS to QA:Testcase kerberos reverse dns: Clearer name) |
(prereq) |
||
| Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description= Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | |description=Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | ||
* The client does not present a domain name to authenticate against. | * The client does not present a domain name to authenticate against. | ||
* Reverse DNS is enabled in /etc/krb5.conf | * Reverse DNS is enabled in /etc/krb5.conf | ||
* The server does not have a PTR record on the DNS server. | * The server does not have a PTR record on the DNS server. | ||
|setup= | |setup= | ||
# [[ | # Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test. | ||
# You need a | # You need a realm user or administrator account. | ||
# Make sure you have krb5-workstation-1.11 or later installed. | # Make sure you have krb5-workstation-1.11 or later installed. | ||
# Make note of the the DNS name for a domain controller on your domain | # Make note of the the DNS name for a domain controller on your domain | ||
Revision as of 17:13, 8 May 2013
Description
Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
Setup
- Perform prerequisite setup before you run this test.
- You need a realm user or administrator account.
- Make sure you have krb5-workstation-1.11 or later installed.
- Make note of the the DNS name for a domain controller on your domain
$ host -t SRV _ldap._tcp.domain.example.com
- Make note of the IP address of the domain controller you chose above
$ host dc.example.com
- Now verify that the reverse DNS record for that IP address does not exist or does not match that of your domain controller.
- If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test.
- Verify that
/etc/krb5.confexists, and contains this line, in the[libdefaults]section:rdns = false
- If the file does not exist, reinstall krb5-libs:
$ sudo yum reinstall krb5-libs
How to test
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user@AD.EXAMPLE.COM
- Type your domain account password
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- Now do an LDAP search against your domain controller
$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI
- You must use the exact domain controller name (as discovered in the above stages, in order for this to work).
Expected Results
- The
ldapwhoamicommand should output your user name on the last line, and should not fail.$ klist
- You should see a line that contains the domain controller host name
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM