Discover a Kerberos KDC
Nils Olav Selåsdal
noselasd at frisurf.no
Tue Aug 20 05:42:09 EDT 2002
> -----Original Message-----
> From: kerberos-admin at mit.edu [mailto:kerberos-admin at mit.edu]
> On Behalf Of Grau, Stephen
> Sent: Monday, August 19, 2002 9:01 PM
> To: kerberos at mit.edu
> Subject: RE: Discover a Kerberos KDC
>
>
> From the install guide:
>
> The second mechanism, recently introduced into the MIT code
> base but not currently used by default, works by looking up
> the information in special TXT records in the Domain Name
> Service. If this mechanism is enabled on the client, it will
> try to look up a TXT record for the DNS name formed by
> putting the prefix _kerberos in front of the hostname in
> question. If that record is not found, it will try using
> _kerberos and the host's domain name, then its parent domain,
> and so forth. So for the hostname
> BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
>
>
>
> _kerberos.boston.engineering.foobar.com
> _kerberos.engineering.foobar.com
> _kerberos.foobar.com
> _kerberos.com
>
>
>
> The value of the first TXT record found is taken as the realm
> name. (Obviously, this doesn't work all that well if a host
> and a subdomain have the same name, and different realms.
> For example, if all the hosts in the ENGINEERING.FOOBAR.COM
> domain are in the ENGINEERING.FOOBAR.COM realm, but a host
> named ENGINEERING.FOOBAR.COM is for some reason in another
> realm. In that case, you would set up TXT records for all
> hosts, rather than relying on the fallback to the domain name.)
What do I put in the clients /etc/krb5.conf, having set up the DNS in
this way? When leaving out the information now found in DNS, kerberos
apps just complain about lacking configuration/options..
More information about the Kerberos
mailing list