Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:
- The client does not present a domain name to authenticate against.
- Reverse DNS is enabled in /etc/krb5.conf
- The server does not have a PTR record on the DNS server.
- Perform prerequisite setup before you run this test.
- You need a realm user or administrator account.
- Make sure you have krb5-workstation-1.11 or later installed.
- Make note of the the DNS name for a domain controller on your domain
$ host -t SRV _ldap._tcp.domain.example.com
- Make note of the IP address of the domain controller you chose above
$ host dc.example.com
- Now verify that the reverse DNS record for that IP address does not exist or does not match that of your domain controller.
- If it does match, then either find a way to break the mapping (if you set it up yourself) or skip this test.
- Verify that
/etc/krb5.confexists, and contains this line, in the
rdns = false
- If the file does not exist, reinstall krb5-libs:
$ sudo yum reinstall krb5-libs
How to test
- Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
$ kinit user@AD.EXAMPLE.COM
- Type your domain account password
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- Now do an LDAP search against your domain controller
$ ldapwhoami -H ldap://dc.example.com -Y GSSAPI
- You must use the exact domain controller name (as discovered in the above stages, in order for this to work).
ldapwhoamicommand should output your user name on the last line, and should not fail.
- You should see a line that contains the domain controller host name
If you want to file a bug related to this issue, run the command with the the
KRB5_TRACE=/dev/stderr environment variable, like this:
$ KRB5_TRACE=/dev/stderr kinit user@AD.EXAMPLE.COM