From Fedora Project Wiki
(Update page for test day) |
No edit summary |
||
| (3 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description= Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | |description=Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where: | ||
* The client does not present a domain name to authenticate against. | * The client does not present a domain name to authenticate against. | ||
* Reverse DNS is enabled in /etc/krb5.conf | * Reverse DNS is enabled in /etc/krb5.conf | ||
* The server does not have a PTR record on the DNS server. | * The server does not have a PTR record on the DNS server. | ||
|setup= | |setup= | ||
# [[ | # Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test. | ||
# You need a | # You need a realm user or administrator account. | ||
# Make sure you have krb5-workstation-1.11 or later installed. | # Make sure you have krb5-workstation-1.11 or later installed. You also need openldap-clients in order to use the 'ldapwhoami' command. | ||
# Make note of the the DNS name for a domain controller on your domain | # Make note of the the DNS name for a domain controller on your domain | ||
#: <pre>$ host -t SRV | #: <pre>$ host -t SRV _kerberos._udp.domain.example.com</pre> | ||
# Make note of the IP address of the domain controller you chose above | # Make note of the IP address of the domain controller you chose above: | ||
#: <pre>$ host dc.example.com</pre> | #: <pre>$ host dc.example.com</pre> | ||
# Now verify that the reverse DNS record for that IP address '''does not exist''' or '''does not match''' that of your domain controller. | # Now verify that the reverse DNS record for that IP address '''does not exist''' or '''does not match''' that of your domain controller: | ||
#: <pre>$ host -t PTR X.X.X.X</pre> | |||
#: If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test. | #: If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test. | ||
# Verify that <code>/etc/krb5.conf</code> exists, and contains this line, in the <code>[libdefaults]</code> section: | # Verify that <code>/etc/krb5.conf</code> exists, and contains this line, in the <code>[libdefaults]</code> section: | ||
Latest revision as of 11:09, 9 May 2013
Description
Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
Setup
- Perform prerequisite setup before you run this test.
- You need a realm user or administrator account.
- Make sure you have krb5-workstation-1.11 or later installed. You also need openldap-clients in order to use the 'ldapwhoami' command.
- Make note of the the DNS name for a domain controller on your domain
$ host -t SRV _kerberos._udp.domain.example.com
- Make note of the IP address of the domain controller you chose above:
$ host dc.example.com
- Now verify that the reverse DNS record for that IP address does not exist or does not match that of your domain controller:
$ host -t PTR X.X.X.X
- If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test.
- Verify that
/etc/krb5.confexists, and contains this line, in the[libdefaults]section:rdns = false
- If the file does not exist, reinstall krb5-libs:
$ sudo yum reinstall krb5-libs
How to test
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user@AD.EXAMPLE.COM
- Type your domain account password
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- Now do an LDAP search against your domain controller
$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI
- You must use the exact domain controller name (as discovered in the above stages, in order for this to work).
Expected Results
- The
ldapwhoamicommand should output your user name on the last line, and should not fail.$ klist
- You should see a line that contains the domain controller host name
Troubleshooting
If you want to file a bug related to this issue, run the command with the the KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM