[38311] in Kerberos

home help back first fref pref prev next nref lref last post

Re: CNAMEs instead of explicit host names

daemon@ATHENA.MIT.EDU (Karl Kornel)
Fri Aug 24 16:53:54 2018

From: Karl Kornel <akkornel@stanford.edu>
To: "cory@albrecht.name" <cory@albrecht.name>,
        "kerberos@mit.edu"
	<kerberos@mit.edu>
Date: Fri, 24 Aug 2018 20:53:25 +0000
Message-ID: <04C82E80-CD7E-4B19-B031-1ED69ED47CD9@stanford.edu>
In-Reply-To: <CAMW5rY+KHiw23aeOi9sbtho1L+-Q9v+ecB9xTiOWAKChc3QNwg@mail.gmail.com>
Content-Language: en-US

spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <B369E58A6A78724C94BD334152E556D2@namprd02.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: stanford.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 636dd2da-d329-4b74-de88-08d60a03a3ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2018 20:53:26.9391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 396573cb-f378-4b68-9bc8-15755c0c51f3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR02MB4344
x-proofpoint-stanford-dir: outbound
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2018-08-24_09:, , signatures=0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2018-08-24_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	priorityscore=1501 malwarescore=0
	suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011
	lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999
	adultscore=100 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1807170000 definitions=main-1808240212
X-Brightmail-Tracker: H4sIAAAAAAAAA1VTWUwTURTlzXSZNh0dhgJXFA2NxkgoRcS4BJcPMSRqRMG1JjrakTa2Q9Np
	TTFqCuoPNcYgYAoqBqIIGlGiUZFFqkRUXKIfLiEgiIrgRtSAwW2GB6g/k/POuffc827eUCT7
	XRVF8V437xI4u0GlVRSUB/qMy50+c8Jgg27uiepm5WKUmtvaTKahjdpkC2+37eRdpoVbtNa8
	8kbS+VXjDbx5inzokSYPaShgkuD9oVdEHtJSLPOQgLJL51X4cAHBvYorCnzIIWCoq0I5ppT8
	HkJyP8u8QdD/fPuYMNR+jsRCD4L2dwLGRwg40GHCRS8R1DW1qWVBxcyAZ1/OqmSsZzZDwfde
	QsZhTCJUfQyqMT8LzhS+JjFOhJIbDVIMilIw0yD4bY1M08wiKKkYGAmUDjUdPcPlGiYDBluq
	hu0REwEDd88N25NMJLzoLiXwAkKhrKSOxDgCftV2qmT7cMYERU/SMD0d7hRVI4yj4XGpH8lX
	AaZJDc2+C2osGOFzYeGIzwpo6fsywjchONi9EONYuN5aqsRYgNauA6rDaE7xP5GKpdGktJXq
	WhOmU2Gw/rIK4xgo8Heqi4dvHAp3At2Kk0hZhaItjl1GB2ezi/w2o7iNEwTeZUyKd9jc8bzF
	U4OkR8JqJoy/io75lgURQyGDjr4BPjOr5HaK2Y4gmkARhnB69qm9Znbc1ixLtpUTrZtdHjsv
	BhFQpEFP75svldMWLnsX78oalSZSCkMk3b57nZllMjk3v4PnnbxrVCUodRBNoigD0FOzpO5Q
	F5/Je7fb7O5/azTyBJ00IVSuoUUn5xBtmVi/i+ZRHyvz80nqx6dC6dvmL8onWYWQJfBRkXSP
	IDUwcoPVI4x5jv4Rj1F0VBiNQkJCWJ0UStrF/3ovipT2EEY/kF10NsE9NrVXCkRIgZTkHjmQ
	m/srRflQZbm5dOnzZ0dzKnNitdoQ/aW0OtOVVH/n5Ilessz5IaF+fa6mIrnzWH3RtdcvDh2J
	92y4qIi7tT6Q7tl0/G1yoj7lcq33x8olp8vNbcaBVcvWJqb8fHqw/+KCuPCcvqG5O/bUU79W
	d2TcTOmtu52Qezjg37skyb+/pqNN3zCl8X7M2liDQrRyM2NJl8j9AfOzve8MBAAA
X-MIME-Autoconverted: from base64 to 8bit by PCH.mit.edu id w7OKrdqf028959
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: kerberos-bounces@mit.edu
Errors-To: kerberos-bounces@mit.edu

On 8/24/18, 1:48 PM, "kerberos-bounces@mit.edu on behalf of Cory Albrecht" <kerberos-bounces@mit.edu on behalf of cory@albrecht.name> wrote:

    Am I going to run into any trouble if use a CNAME that redirects to my KDCs
    actual hostnames instead of explicitly listing all of them in krb5.conf on
    the clients? That way I wouldn't have to copy new krb5.confs to the client
    hosts, just update the DNS entry.
    ________________________________________________
    Kerberos mailing list           Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos
    
We do something similar; check out the krb5.conf linked at https://uit.stanford.edu/service/kerberos/unix_install

krb5auth[1,2,3].stanford.edu are CNAMEs to whichever KDC we want people to query first/second/third.  

--
A. Karl Kornel | System Administrator
Research Computing | Stanford University
+1 (650) 736-9327


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post