kerberos+sasl+openldap
ATijssen@Ram.nl
ATijssen at Ram.nl
Mon Feb 20 03:16:51 EST 2006
Hi Jeremy,
Thanx, that did the trick. Now I can continue with Cyrus etc.
Greetz,
Arnoud
Jeremy Thomas Hunt <jeremyh at optimation.com.au>
16-02-2006 00:23
To
ATijssen at Ram.nl
cc
kerberos at mit.edu
Subject
Re: kerberos+sasl+openldap
Hi Arnoud,
Use of DNS is controlled via krb5.conf, with three directives. I looked
at the MIT man page for krb5.conf. Note that this is different to the
man page from vendors such as Sun, you should be looking at the file
/krb5/man/man5/krb5.conf.5. In any case these directives are described
in the libdefaults section and I reproduce this section from my man page
here:
dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to
locate the KDCs and other servers for a realm, if they
are not listed in the information for the realm. The
default is to use these records.
dns_lookup_realm
Indicate whether DNS TXT records should be used to
determine the Kerberos realm of a host. The default is
not to use these records.
dns_fallback
General flag controlling the use of DNS for Kerberos
information. If both of the preceding options are
specified, this option has no effect.
We don't use DNS either and my krb5.conf file has the first two
directives set to false. To help you understand this I include a
doctored snippet from a krb5.conf I use:
------------x snip x-------------------
[libdefaults]
default_realm = AWB.COM.AU
dns_lookup_kdc = false
dns_lookup_realm = false
-----------x snip x--------------------
From your description you probably only need dns_lookup_kdc, though if
you are not using DNS at all, you probably need both.
I have no idea from the man page how to use the dns_fallback directive,
but I don't seem to need it.
Good Luck,
Jeremy
ATijssen at Ram.nl wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
> Hi,
>
> I recently started to install a central authentication server with
> openldap, kerberos, sasl etc on a test server for starters. I installed
> kerberos, but when I try to start kinit it returns an error stating:
>
> kinit(v5): Cannot resolve network address for KDC in requested realm
while
> getting initial credentials
>
> The server where kerberos is installed does not have a DNS entry, which
> causes the problem I assume. Is it possible to cicrcumvent this? Since
> this is in testing phase I was hoping to get kinit started and kerberos
> without adding an entry into the DNS. If this is possible how to
proceed?
>
> Thnx,
> Arnoud
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
dns_lookup_realm = false
dns_lookup_kdc = false
>
>
>
More information about the Kerberos
mailing list