[30659] in Kerberos
Re: Kerberos <-> Microsoft Active Directory & DNS
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Thu Jan 29 10:00:48 2009
Message-ID: <376C117F4612491EBB644CACCCC5BF2B@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <kerberos@mit.edu>
Date: Thu, 29 Jan 2009 09:00:07 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Michael B Allen <ioplex@gmail.com> wrote:
> In general, both the MIT and Heimdal clients are not optimized for a
> Windows environment. We have an AD integration product that uses
> Heimdal that we made a lot of changes to try to better emulate Windows
> behavior.
Please just stop trying to sell folks your product using this list.
-----
It sounds like all this guy needs is proper [domain_realm settings] in
krb5.conf and possibly a proper [capaths] sections if a realm trust is
involved. (Its not clear to me if there is just a single realm or not.)
It sounds like AD is configured to do dynamic DNS for A record
registration but is not authoritative for PTR registration and this is
causing problems b/c AD thinks the name should be in one domain and in
reality the PTR is in another. (We have the exact same problem where I
work.) I think the solution is to ignore the AD name and use the fqdn
that the reverse lookup returns.
If you join #kerberos on the Freenode IRC network there are folks there
who would be willing to try and help for free and NOT try and sell you
some Active Directory integration product.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
