Kerberos referrals
Buck Huppmann
buckh at pobox.com
Thu Nov 10 11:06:18 EST 2005
> This may be the real problem. If there was a way to update the GC to go
> to the default realm. Hey its LDAP. I asked around, and it looks like it
> could be possible but no one knows how to do it.
assuming you're talking about the default realm being a non-Windows-AD;
and if the client requests a ticket for a fully-qualified hostname in-
stance (seems to depend on whether they manage to resolve the host by DNS
or NetBIOS first);
and if you're talking Windows 2003 AD servers and you do that netdom.exe
/foresttransitive trust establishment stuff with the default realm;
and everything is in the right phase;
then you can netdom.exe /addtln:uk (as long as that doesn't conflict with
anything more specific already added to the namesuffixes list[s]) along
with all the other TLDs you care about, to that default-realm trustedDomain
object. (yeah, i can't seem to wildcard the root, in my experimenting)
see the tail end of
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/539c5381-db4f-445f-aac0-2df5448181c1.mspx
for this particular netdom [ab]usage
and, yes, i realize it's tedious and error-prone and maybe not at all the
tree you're barking up
More information about the Kerberos
mailing list