Kerberos 5, kprop problem

Norbert Veber nveber at pyre.virge.net
Tue Apr 16 14:02:01 EDT 2002


Ken Hornstein wrote:
>>'abel' is the main server, it has a cname of 'kerberos'.  'weber' is one
>>of the secondaries, cname kerberos-2.
>>
>>For some reason its trying to find the canonical hostname of the
>>machine.  The installation manual said it should work with CNAMES..
> 
> I think you misread the manual.  In Kerberos you always want to use the
> canonical name (and the "short" name isn't a CNAME in any case, unless
> you placed the CNAME record at the root of the DNS).

Hmm.  To quote the manual:
MIT recommends that your KDCs have a predefined set of CNAME records
(DNS hostname aliases), such as kerberos for the master KDC and
kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
swap a machine, you only need to change a DNS entry, rather than having
to change hostnames. 

I'm not sure what you mean by "short" name.  My setup is such that each
machine has a hostname: abel, weber, schrodinger.  Then I setup some
CNAME records in my dns as suggested by the manual:
kerberos -> abel
kerboers-1 -> schrodinger
kerberos-2 -> weber

The principals I added and reffer to everywhere in my configuration are
my CNAME records.  Ie.
kadmin:  listprincs
K/M at REALM.COM
admin/admin at REALM.COM
host/kerberos-1.domain.com at REALM.COM
host/kerberos-2.domain.com at REALM.COM
host/kerberos.domain.com at REALM.COM
kadmin/admin at REALM.COM
kadmin/changepw at REALM.COM
kadmin/history at REALM.COM
krbtgt/REALM.COM at REALM.COM

Of couse in the above I have replaced the real ralm/domain with "REALM"
and "domain" respectively.  I did however follow the recommendation to
make the REALM name the same as the domain name in upper case..

Thanks,

Norbert



More information about the Kerberos mailing list