Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos

Sean Elble elbles at sessys.com
Wed Mar 15 11:44:35 EDT 2017


On Mar 15, 2017, at 10:56 AM, Osipov, Michael <michael.osipov at siemens.com> wrote:
> 
> Both aren't an option:
> 
> 1. TXT records are unknown to Windows are all host to realm maping is
> performed by the domain controller by querying the global catalog

But you could still add TXT records to your domain controllers (assuming they are your DNS servers for UNIX systems as well), correct?  They'd simply point the clients (your FreeBSD/HP-UX/RHEL 6 boxes) at the correct realm for a given host name (e.g., _kerberos.app.workspace.company.com -> AD001.COMPANY.NET).

If the problem were with Windows clients, I'd certainly concede your point, but if your clients are *NIX boxes running MIT Kerberos, wouldn't this be a legitimate option?

Apologies if I'm misunderstanding the situation.

> 2. This applies only if your KDC is MIT Kerberos. All of our KDCs
> are Active Directory servers. We use MIT Kerberos for only for clients.
> 
> Michael
> 




More information about the Kerberos mailing list