Reading KDCs from DNS (multiple domain controlers and KDCs)

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Apr 18 10:14:30 EDT 2005


Pawe? wrote:

> I need to support configuration with many Domain Controlers. I found
> that I can enter many KDCs in krb5.conf file f.e.:
> [realms]
> XYZ.INTERNAL.COM = {
> 	kdc = s1.xyz.internal.com:88
> 	kdc = s2.xyz.internal.com:88
> 	}
> Is it correct ?

This is correct but does not take into account the difference between
a slave kdc and a master kdc.  The master_kdc would be listed as

	master_kdc =

The krb5.conf docs for MIT Kerberos release 1.4 are located here:

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#krb5.conf

> 
> I've heard that it is possible to read all domain controlers (and
> kerberos KDCs) from DNS. Could you tell me how to do it ? I found
> parameter dns_lookup_kdc which is set krb5.conf file. May be it is the
> one used for that purpose ?

DNS can be used to publish the locations of KDCs.  DNS will be used
if "dns_lookup_kdc" is not set to "0", "no", "off", and there are no
"kdc" "master_kdc" entries in the krb5.conf file.

http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html#Using%20DNS

> 
> Configuration:
>   KDC: Windows 2000 domain
>   User to be authenticated from: PC workstation with Oracle 9.2 with
> Advanced Security on Windows 2000 or XP
>   Service principal for: Oracle 9.2 with Advanced Security database on
> True64 unix v. 5.1

The krb5.conf file is called krb5.ini on Windows but it is only used
by applications which make use of MIT's Kerberos for Windows product.
If you applications are utilizing the Microsoft Kerberos SSP or some
other implementation you will need to look elsewhere for documentation.

> I will be thankfull for any help.
> 
> Best regards,
> Pawel Ciborski

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list