[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS lookup for resolving domain to realm mapping works...butonly after I modified the source code ?



Lara Adianto <m1r4cle_26@yahoo.com> writes:

> I supposed it is the responsibility of the KDC to find out that
> test_w2kserver is in fact in LARA_W2K.COM and not in LARA_HMD.COM as
> the client has assumed.

Some people feel this, and well, if the KDC has better knowledge, it
could share this with the client.

> Function dns_find_realm in lib/krb5/get_host_realm.c is not called
> at all.  Is my observation right ? or do I miss some settings ?

It's not used from the KDC, if that's what you mean. The reason for
this is that we don't want any dependencies in the KDC on (possibly
very slow, and insecure) DNS servers.

I suppose your problem is that you have one DNS domain, with hosts all
living in different realms? If all your windows machines live in a
separate domain, you can direct that whole domain to another realm.

One other possibility is to generate the [domain_realm] from DNS.

> _kerberos.test_w2kserver.	IN	TXT	LARA_HMD.COM

This can only work if your clients ask for host/test_w2kserver@REALM
(incomplete domain), or if there's something wrong in your bind setup.

/Johan