Kerberos and IPv6-only DNS

I mentioned in an earlier entry that I've configured my workstation (OS X 10.4.11) only to use IPv6 for DNS queries. Today, I found something that this broke: Kerberized CIFS. So far, I've only noticed this on OS X 10.4. It does not happen on OS X 10.5. I haven't had time to test any other platforms.

A few months ago I gave a talk at the SOS Security Day on using Kerberos for various network services. One of the things I discussed was kerberized CIFS. I had verified that this worked on OS X using the u: drive. This was before my IPv6-only DNS change. Today, a colleague asked me to reverify my findings, since he was having issues. I was unable to obtain a service ticket in the u: drive's Kerberos realm. After some grepping through the Kerberos source, I've found the source of the problem.

Kerberos can discover configuration data for foreign realms using DNS SRV records. The u: drive is in its own Kerberos realm, so my client tried to look up the KDC hostnames using a SRV record query. The MIT Kerberos libraries included with OS X 10.4 can only use IPv4 to perform the query. To resolve the issue, you have to add an IPv4 DNS server to my resolver configuration, and I had to list it first (which means that most DNS traffic will only go over IPv4). Alternatively, you can explicitely configure your krb5.conf file with the u: drive's realm, which is what I did.

The issue appears to be fixed in newer versions of MIT Kerberos and in Leopard.