From Fedora Project Wiki

Revision as of 22:17, 11 March 2013 by Yelley (talk | contribs) (QA:Testcase LessBrittleKerberos resilient reverseDNS)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Demonstrate that MIT Kerberos 1.11 reverts to default behavior (rather than categorically rejecting the authentication) in the scenario where:

  • The client does not present a domain name to authenticate against.
  • Reverse DNS is enabled in /etc/krb5.conf
  • The server does not have a PTR record on the DNS server.


  1. Verify that your ActiveDirectory domain access works. If you don't have an Active Directory domain, you can set one up.
  2. You need a domain account, either a user or administrator. It's useful to test with both.
  3. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar.
    $ hostname
  4. Make sure you have krb5-workstation-1.11 or later installed.

How to test

  1. Use the DNS Manager console on the Active Directory server to remove the PTR record that establishes the ip-to-hostname mapping for the server.
  2. In your client's /etc/krb5.conf, enable the use of reverse dns by setting the "rdns" attribute to "true"
  3. Use your Active Directory domain user account to authenticate to the Active Directory server using kinit without a realm name.
    $ kinit user
    Password for user@AD.EXAMPLE.COM
    • Make sure that you capitalize the domain name.
    • If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
    • There should be no output from this command.

Expected Results

  1. Check that you have an appropriate entry in your credentials cache using the klist command.
    $ klist
    • You should see a line that has a service principal named "krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM"