[30254] in Kerberos
Windows Client resolve Realm KDC over DNS
daemon@ATHENA.MIT.EDU (Andrin Vocat)
Thu Aug 28 12:09:18 2008
Message-Id: <48B6E994.90C0.0063.0@novell.com>
Date: Thu, 28 Aug 2008 17:08:21 +0100
From: "Andrin Vocat" <avocat@novell.com>
To: <kerberos@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello I read some threads with the same problem but without any solution, so I will try it again. Today we have four completely separated Active Directory with thousands of clients.I implemented a MIT KDC to build a shared resource Realm for SSO. Now I want to deploy that to all client. The client send a TGS to his AD Controller, the DC sends a referral with the resource Realm. At this point the client needs to evaluate what KDC is responsible for the Realm. Easiest way is to configure it on client (ksetup /AddKdc [Realm] [KDC]). If there is no configuration the client try toresolve the KDC over DNS (SVR _kerberos._tcp.dc._msdcs.[domain]). ksetup on each client would take a long time and be a lot of work. I add this DNS settings entry with a pointer to theKDC. The client resolved it successfully and does a CLDAP query —> No Response (or icmp). I read CLDAP query is something like a AD ping, to check if the AD is responsible for the domain and available. Is there a way to switch this setting off (CLDAP Query)? Or could I emulate the required response, for example withSamba? Any Ideas? RegardsAndrin Vocat________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
