> I supposed it is the responsibility of the KDC to find out that
> test_w2kserver is in fact in LARA_W2K.COM and not in LARA_HMD.COM as
> the client has assumed.
JD: Some people feel this, and well, if the KDC has better knowledge, it
JD: could share this with the client.
I read somewhere that the client is the one who's supposed to determine
the realm of the server, but someone from MIT kerberos mailing list told me that microsoft changed the mechanism by assuming at the beginning that the server is in the same realm as the client. In this way, the client ALWAYS sends a request to its KDC with server target's realm equal to its own realm. and it is the KDC who must correct the client by issuing a cross-realm referral to the right realm
> Function dns_find_realm in lib/krb5/get_host_realm.c is not called
> at all. Is my observation right ? or do I miss some settings ?
JD: It's not used from the KDC, if that's what you mean. The reason for
JD: this is that we don't want any dependencies in the KDC on (possibly
JD: very slow, and insecure) DNS servers.
I get it now :-) But if that's the way, how can heimdal kerberos handles
windows' clients who always assume the server is in its own realm ?
JD: I suppose your problem is that you have one DNS domain, with hosts all
JD: living in different realms? If all your windows machines live in a
JD: separate domain, you can direct that whole domain to another realm.
I currently only use 2 realms: a Kerberos realm and a Windows realm. Both of them are in a different domain.
JD: One other possibility is to generate the [domain_realm] from DNS.
> _kerberos.test_w2kserver. IN TXT LARA_HMD.COM
JD: This can only work if your clients ask for host/test_w2kserver@REALM
JD: (incomplete domain), or if there's something wrong in your bind setup.
Exactly, my client asks for host/test_w2kserver@REALM. Isn't it supposed to work this way ? What do you mean
by incomplete domain anyway ? I'm quite new to this whole concept of kerberos & dns
- lara -