Kerberos referrals

Buck Huppmann buckh at pobox.com
Thu Nov 10 11:06:18 EST 2005


> This may be the real problem. If there was a way to update the GC to go
> to the default realm. Hey its LDAP. I asked around, and it looks like it
> could be possible but no one knows how to do it.

assuming you're talking about the default realm being a non-Windows-AD;

and if the client requests a ticket for a fully-qualified hostname in-
stance (seems to depend on whether they manage to resolve the host by DNS
or NetBIOS first);

and if you're talking Windows 2003 AD servers and you do that netdom.exe
/foresttransitive trust establishment stuff with the default realm;

and everything is in the right phase;

then you can netdom.exe /addtln:uk (as long as that doesn't conflict with
anything more specific already added to the namesuffixes list[s]) along
with all the other TLDs you care about, to that default-realm trustedDomain
object. (yeah, i can't seem to wildcard the root, in my experimenting)

see the tail end of

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/539c5381-db4f-445f-aac0-2df5448181c1.mspx

for this particular netdom [ab]usage

and, yes, i realize it's tedious and error-prone and maybe not at all the
tree you're barking up


More information about the Kerberos mailing list