From owner-freebsd-security  Tue Jul  7 12:38:53 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA22061
          for freebsd-security-outgoing; Tue, 7 Jul 1998 12:38:53 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22056
          for <security@FreeBSD.ORG>; Tue, 7 Jul 1998 12:38:51 -0700 (PDT)
          (envelope-from dima@burka.rdy.com)
Received: (from dima@localhost)
	by burka.rdy.com (8.8.8/RDY&DVV) id MAA00439;
	Tue, 7 Jul 1998 12:38:46 -0700 (PDT)
Message-Id: <199807071938.MAA00439@burka.rdy.com>
Subject: Re: kerberos su problems betw 2 machines
In-Reply-To: <xof3ecd5uvx.fsf@blubb.pdc.kth.se> from Johan Danielsson at "Jul 7, 1998  9:22:10 pm"
To: joda@pdc.kth.se (Johan Danielsson)
Date: Tue, 7 Jul 1998 12:38:46 -0700 (PDT)
Cc: dima@best.net, ludwigp@bigfoot.com, security@FreeBSD.ORG
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Johan Danielsson writes:
> dima@best.net (Dima Ruban) writes:
> 
> > Make sure, lookup on both IP addresses on your interfaces gives you
> > _the same_ name.
> 
> I don't think this is the problem. In MIT Kerberos 5, you can get a
> working multi-homed configuration by making sure that the hostname has
> A records for all it's interfaces. In Kerberos 4 (which we are dealing

I'm not sure that A records for all the interfaces would be enough.
Some time ago I've had a multihomed machine with krb5 and I'm pretty sure
all the IPs on the interfaces had an A record. And util I've fixed
all of them to resolve to the same name (hostname) this multihomed
configuration didn't work as it was supposed to.

> with here), only has room for one ip-address in the ticket, and the
> KDC chooses that address based on the ip-address the request was sent
> from.
> 
> /Johan
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message