Kerberos 5, kprop problem
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Apr 16 14:23:36 EDT 2002
>Hmm. To quote the manual:
>MIT recommends that your KDCs have a predefined set of CNAME records
>(DNS hostname aliases), such as kerberos for the master KDC and
>kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
>swap a machine, you only need to change a DNS entry, rather than having
>to change hostnames.
Right, but that's not what you're doing. You always need to use the
canonical name ... the REAL name. You shouldn't create service tickets
using aliases (don't create a service ticket called "host/kerberos").
This is part of the confusion about a CNAME record. The canonical name
is the part on the right side of the record; the left side of the
CNAME record is the alias. In Kerberos, you never create principals using
the alias (well, you _can_, but on Unix implementations, it's almost always
a bad idea).
>I'm not sure what you mean by "short" name. My setup is such that each
>machine has a hostname: abel, weber, schrodinger. Then I setup some
>CNAME records in my dns as suggested by the manual:
What I mean by a "short" name is unqualified - you want to always use
a fully qualified domain name in Kerberos principals.
--Ken
More information about the Kerberos
mailing list