Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos
Osipov, Michael
michael.osipov at siemens.com
Thu Mar 16 05:08:32 EDT 2017
> On Mar 15, 2017, at 10:56 AM, Osipov, Michael <michael.osipov at siemens.com>
> wrote:
> >
> > Both aren't an option:
> >
> > 1. TXT records are unknown to Windows are all host to realm maping is
> > performed by the domain controller by querying the global catalog
>
> But you could still add TXT records to your domain controllers (assuming
> they are your DNS servers for UNIX systems as well), correct? They'd
> simply point the clients (your FreeBSD/HP-UX/RHEL 6 boxes) at the correct
> realm for a given host name (e.g., _kerberos.app.workspace.company.com ->
> AD001.COMPANY.NET).
>
> If the problem were with Windows clients, I'd certainly concede your
> point, but if your clients are *NIX boxes running MIT Kerberos, wouldn't
> this be a legitimate option?
We are in full control of DNS, but I cannot make any changes. I am a peasant
in a 300 000-people-company. Everything is administered centrally.
Even if I could, TXT has no clear notion on Windows/Active Directory.
> Apologies if I'm misunderstanding the situation.
No need to apologize!
Michael
More information about the Kerberos
mailing list