Kerberos <-> Microsoft Active Directory & DNS
Morten Sylvest Olsen
mortenolsen at gmail.com
Wed Jan 28 05:38:30 EST 2009
Hi,
I have an issue integrating Kerberos to AD. I believe they have an
error in their DNS setup (based on the amount of trouble I've had
through the years with Active Directory and DNS, yuck), but I'd like a
second opinion, before I yell at the AD admins.
The problem is that a number of AD servers in a sub-domain/sub-realm
resolves to a name in a higher-level domain when doing a reverse
lookup.
Ie. ad1.ext.domain.org -> 1.2.3.4
When doing a reverse lookup on 1.2.3.4 I'd get ad1.domain.org
This fools Kerberos and it tries to get a key for ldap/ad1.domain.org
instead of ldap/ad1.ext.domain.org (MIT Kerberos 1.6.1 on redhat linux
5)
I can workaround by messing with /etc/hosts, of course.
Does anyone know whether this is a "supported" configuration for
Kerberos?
/Morten
More information about the Kerberos
mailing list