From Fedora Project Wiki
Description
Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
Setup
- Verify that your ActiveDirectory domain access works. If you don't have an Active Directory domain, you can set one up.
- You need a domain account, either a user or administrator. It's useful to test with both.
- Your machine must have a configured host name. Do not proceed if you host name is
localhostor similar.$ hostname
- Make sure you have krb5-workstation-1.11 or later installed.
How to test
- Use the DNS Manager console on the Active Directory server to remove the PTR record that establishes the ip-to-hostname mapping for the server.
- In your client's /etc/krb5.conf, enable the use of reverse dns by setting the "rdns" attribute to "true"
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user
Password for user@AD.EXAMPLE.COM
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- There should be no output from this command.
Expected Results
- Check that you have an appropriate entry in your credentials cache using the klist command.
$ klist
- You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"
Troubleshooting
TBD