Query - How to determine the KDC
Rick van Rein
rick at openfortress.nl
Fri Jan 31 10:29:02 EST 2014
Hi,
> Hope this isn't a silly question. Is there a command/tool that tells us
> which is the KDC for a particular realm ?
You’d normally guess that the realm name is a DNS name, as is suggested in manuals, and then look it up (no lowercase casting necessary, as DNS is agnostic to case). You lookup the _kerberos TXT record for confirmation that it matches the realmname.
Note 1. Characters in TXT records are case-insensitive too, even if they are usually served in the same case as in the zone file; so any letter is interpreted as an uppercase, unless modified (I think there was a prefix char such as an underscore to map the next char to lowercase). This is a bit silly because DNS names are not, and Kerberos realm names are case sensitive. The common uppercase notation for realms is given the preferential notation without escapes.
Note 2. This lookup is as reliable as your DNS; in other words, you probably want to ensure that DNSSEC is being used if what you are doing with the information could have any security implication.
-Rick
More information about the Kerberos
mailing list