kerberos+sasl+openldap

Jeremy Thomas Hunt jeremyh at optimation.com.au
Wed Feb 15 18:23:50 EST 2006


Hi Arnoud,

Use of DNS is controlled via krb5.conf, with three directives. I looked 
at the MIT man page for krb5.conf. Note that this is different to the 
man page from vendors such as Sun, you should be looking at the file 
/krb5/man/man5/krb5.conf.5. In any case these directives are described 
in the libdefaults section and I reproduce this section from my man page 
here:

     dns_lookup_kdc
          Indicate whether DNS  SRV  records  shoud  be  used  to
          locate  the KDCs and other servers for a realm, if they
          are not listed in the information for the  realm.   The
          default is to use these records.


     dns_lookup_realm
          Indicate whether DNS TXT  records  should  be  used  to
          determine the Kerberos realm of a host.  The default is
          not to use these records.


     dns_fallback
          General flag controlling the use of  DNS  for  Kerberos
          information.   If  both  of  the  preceding options are
          specified, this option has no effect.

We don't use DNS either and my krb5.conf file has the first two 
directives set to false. To help you understand this I include a 
doctored snippet from a krb5.conf I use:

------------x snip x-------------------
[libdefaults]
       default_realm = AWB.COM.AU
       dns_lookup_kdc = false
       dns_lookup_realm = false
-----------x snip x--------------------

 From your description you probably only need dns_lookup_kdc, though if 
you are not using DNS at all, you probably need both.

I have no idea from the man page how to use the dns_fallback directive, 
but I don't seem to need it.

Good Luck,

Jeremy

ATijssen at Ram.nl wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
> Hi,
>
> I recently started to install a central authentication server with 
> openldap, kerberos, sasl etc on a test server for starters. I installed 
> kerberos, but when I try to start kinit it returns an error stating:
>
> kinit(v5): Cannot resolve network address for KDC in requested realm while 
> getting initial credentials
>
> The server where kerberos is installed does not have a DNS entry, which 
> causes the problem I assume. Is it possible to cicrcumvent this? Since 
> this is in testing phase I was hoping to get kinit started and kerberos 
> without adding an entry into the DNS. If this is possible how to proceed?
>
> Thnx,
> Arnoud
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   
   
       dns_lookup_realm = false
       dns_lookup_kdc = false

>
>
>   




More information about the Kerberos mailing list