Kerberos configuration with external DNS server.

sam samwun at hgcbroadband.com
Thu May 27 23:16:46 EDT 2004 

Douglas E. Engert wrote:

> 
> sam wrote:
> 
>>Hi,
>>
>>does anyone know why I get the following error:
>>root at fbsd [10:56am] [~]# kinit tillman
>>tillman at ROCK.COM's Password:
>>kinit: krb5_get_init_creds: unable to reach any KDC in realm ROCK.COM
>>root at fbsd [10:57am] [~]#
>>
>>I have written the following kerberos lines in a seperate DNS server:
>>
>>kerberos                CNAME 192.168.1.1
>>
>>_kerberos               IN TXT  ROCK.COM
>>_kerberos._udp          IN SRV  0 0 88 kerberos.rock.com
> 
> 
> Try 
> 
> _kerberos._udp.rock.com.  IN SRV 0 0 88 kerberos.rock.com
> 
> 
> 
> 
> 
>>_kerberos-master._udp   IN SRV  0 0 88 kerberos.rock.com
>>_kerberos-adm._tcp      IN SRV  0 0 749 kerberos.rock.com
>>_kpasswd._udp           IN SRV  0 0 464 kerberos.rock.com
> 
> 
> 
> Try nslookup
>  set type=ANY
>  _kerberos._udp.rock.com 
> 
> and see if your DNS server has the SRV records. 
>>From what I see from here, it does not. 
> 
> 
> 
>>but pinging from another machine to kerberos server is failed, I m not
>>sure if this is the problem. What is the correct way to setup DNS to
>>include kerberos configuratoin?
>>
>>Thanks
>>sam

It works now, the CNAME caused the problem. I changed the CNAME to:
kerberos	CNAME 	fbsd

the fbsd is the one pointing to the kerberos server.

Now I have another question with the expiry date of the ticket.
I tried to create ticket for user with unlimited period, but klist shown 
  that it is a 1 day ticket only:

kadmin> add samwun
Max ticket life [1 day]:unlimited
Max renewable life [1 week]:unlimited
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
samwun at ROCK.COM's Password:
Verifying - samwun at ROCK.COM's Password:
kadmin> exit
root at fbsd [11:13am] [~]# kinit samwun
samwun at ROCK.COM's Password:
root at fbsd [11:13am] [~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: samwun at ROCK.COM

   Issued           Expires          Principal
May 28 11:13:15  May 28 21:13:15  krbtgt/ROCK.COM at ROCK.COM
root at fbsd [11:13am] [~]#

I can I make the Expiry date as unlimited? If it doesn't make sense to 
kerberos, what should be a good policy for assigning the valid  period 
for each user?

Thanks
Sam.

More information about the Kerberos mailing list