[30654] in Kerberos
Kerberos <-> Microsoft Active Directory & DNS
daemon@ATHENA.MIT.EDU (Morten Sylvest Olsen)
Wed Jan 28 15:07:25 2009
From: Morten Sylvest Olsen <mortenolsen@gmail.com>
Date: Wed, 28 Jan 2009 02:38:30 -0800 (PST)
Message-ID: <547ffb28-1d6a-4d93-b5e2-caee34820538@i20g2000prf.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I have an issue integrating Kerberos to AD. I believe they have an
error in their DNS setup (based on the amount of trouble I've had
through the years with Active Directory and DNS, yuck), but I'd like a
second opinion, before I yell at the AD admins.
The problem is that a number of AD servers in a sub-domain/sub-realm
resolves to a name in a higher-level domain when doing a reverse
lookup.
Ie. ad1.ext.domain.org -> 1.2.3.4
When doing a reverse lookup on 1.2.3.4 I'd get ad1.domain.org
This fools Kerberos and it tries to get a key for ldap/ad1.domain.org
instead of ldap/ad1.ext.domain.org (MIT Kerberos 1.6.1 on redhat linux
5)
I can workaround by messing with /etc/hosts, of course.
Does anyone know whether this is a "supported" configuration for
Kerberos?
/Morten
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
