[OpenAFS] Re: what is aklog's algorithm for "deducing" what cell to authenticate to?

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 30 Dec 2005 16:33:38 -0500


On Tuesday, December 27, 2005 08:20:10 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

>
> Derrick J Brashear <shadow@dementia.org> writes:
>> realm. It's using the krb5 "realm of host" function on,probably, the
>> server.
>
> For the [mailing list] record, it appears that aklog does this in the
> absence of anything in krb5.conf overriding its behavior:
>
>   aklog -c foo.com
>
>   resolve AFSDB record for domain foo.com
>        -> result is server.bar.com
>
>   perform kerberos server discovery (RFC2052) on server.bar.com
>        -> usually something.bar.com (depends on DNS entries)
>
> In my case, this was fixed by making the AFSDB record for my cell's
> domain point at a hostname ending with the cell name (fake.foo.com),
> which had an "A" record that could point wherever I wanted (same IP as
> server.bar.com).


Actually, it seems that there's been a fair bit of confusion because you 
missed a step.

What aklog does is figure out what the dbservers are for the cell you're 
interested in, either by doing a CellServDB lookup or by getting AFSDB 
records.  Then it picks a dbserver and does the normal hostname->realm 
mapping to find out what kerberos realm that host is in.  Finally, it 
attempts to get a ticket for an AFS service in that realm.

The Kerberos library will perform hostname->realm mapping based on local 
configuration (the domain_realm section in krb5.conf) or by applying a 
fixed algorithm such as dropping the first component of the domain name. 
This is security policy for the client, and cannot be safely discovered via 
an unsecured DNS query.

Once the target realm has been selected, the Kerberos library also needs to 
know where the KDC's are for that realm.  Most modern implementations will 
determine this information based on local configuration (krb5.conf), or by 
using DNS SRV records as described in RFC4120 section 7.2.3.2.



So, you can safely use the DNS to find the KDC's for a specified realm, and 
aklog will do that if linked against a Kerberos library which supports that 
feature.  However, you cannot safely use the DNS to determine what realm to 
use.  In fact, even using the results of AFSDB queries as input to this 
process is broken.  Unfortunately, aklog uses the AFS configuration library 
to find the dbservers for a cell, and was written in a time when the only 
source for that information was the (presumably trustworthy) CellServDB 
file.


-- Jeff