Kerberos <-> Microsoft Active Directory & DNS
Christopher D. Clausen
cclausen at acm.org
Thu Jan 29 10:00:07 EST 2009
Michael B Allen <ioplex at gmail.com> wrote:
> In general, both the MIT and Heimdal clients are not optimized for a
> Windows environment. We have an AD integration product that uses
> Heimdal that we made a lot of changes to try to better emulate Windows
> behavior.
Please just stop trying to sell folks your product using this list.
-----
It sounds like all this guy needs is proper [domain_realm settings] in
krb5.conf and possibly a proper [capaths] sections if a realm trust is
involved. (Its not clear to me if there is just a single realm or not.)
It sounds like AD is configured to do dynamic DNS for A record
registration but is not authoritative for PTR registration and this is
causing problems b/c AD thinks the name should be in one domain and in
reality the PTR is in another. (We have the exact same problem where I
work.) I think the solution is to ignore the AD name and use the fqdn
that the reverse lookup returns.
If you join #kerberos on the Freenode IRC network there are folks there
who would be willing to try and help for free and NOT try and sell you
some Active Directory integration product.
<<CDC
More information about the Kerberos
mailing list