Windows browse list w/ Kerberos

John Green green at blueheronbio.com
Thu Aug 8 18:22:04 EDT 2002 

I thought it was pretty strange too.  Here are the records I used for my
DNS:

_kerberos		IN	TXT	"BHBTEST.COM"
_kerberos-master._udp	IN	SRV	0 0 88  kerb1
_kerberos-adm._tcp	IN	SRV	0 0 749 kerb1
_kpasswd._udp		IN	SRV	0 0 464 kerb1
_kerberos._udp		IN	SRV	0 0 88  kerb1
_ldap._tcp.bhbtest.com	IN	SRV	0 0 389 ldap1

Someone else replied to this thread, thinking that the KDC interfered with
"kerberized" daemons running on other machines, namely sshd.  I have sshd
running on several of my internal servers, including the Samba server.
Adding pricipals for these machines alone supposedly should do the trick.
This sounds reasonable to me, any thoughts?

Either way, I'm almost done configuring a Kerberos/LDAP machine that due to
necessity will become a production machine on the network by this time
tomorrow.  Just to make sure I think I will bring this on-line after normal
working hours.

-----Original Message-----
From: Steve Langasek [mailto:vorlon at dodds.net]
Sent: Thursday, August 08, 2002 2:50 PM
To: John Green
Cc: Kerberos (E-mail)
Subject: Re: Windows browse list w/ Kerberos


On Thu, Aug 08, 2002 at 02:32:57PM -0700, John Green wrote:
> Thanks for the input.  I realize that about the Samba version, and
> definitely no AD here (I wouldn't want to attempt trying to make Samba the
> master browser with a Win2K PDC around, perhaps a hardier soul might), but
> the Kerberos machine arriving on the network was definitely the cause; the
> Samba machine has been running for over a year, the only problem being the
> five minutes the Kerberos machine was on the network.

This seems terribly odd to me.  Did you do anything wrt configuring
Kerberos besides setting up a KDC on the Linux box?  I certainly don't
understand why the Win2K workstations were even *aware* of the presence of
the new Kerberos server, let alone negatively impacted by it.  Did you
configure SRV records for your domain pointing to the Linux server?

And BTW, trying to force Samba 2.2.1 to be a local master browser when
there's a Win2K domain controller on the network (it can be done) is a BAD
idea.

Steve Langasek
postmodern programmer

More information about the Kerberos mailing list