[37902] in Kerberos
RE: Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT
daemon@ATHENA.MIT.EDU (Osipov, Michael)
Thu Mar 16 05:09:11 2017
From: "Osipov, Michael" <michael.osipov@siemens.com>
To: Sean Elble <elbles@sessys.com>
Date: Thu, 16 Mar 2017 09:08:32 +0000
Message-ID: <68644224DA0DE64CA5A49838ED219A0425C0F37E@DEFTHW99EJ5MSX.ww902.siemens.net>
In-Reply-To: <64F410C4-F1D5-4583-A171-38FF3CCA171C@sessys.com>
Content-Language: de-DE
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Mar 15, 2017, at 10:56 AM, Osipov, Michael <michael.osipov@siemens.com>
> wrote:
> >
> > Both aren't an option:
> >
> > 1. TXT records are unknown to Windows are all host to realm maping is
> > performed by the domain controller by querying the global catalog
>
> But you could still add TXT records to your domain controllers (assuming
> they are your DNS servers for UNIX systems as well), correct? They'd
> simply point the clients (your FreeBSD/HP-UX/RHEL 6 boxes) at the correct
> realm for a given host name (e.g., _kerberos.app.workspace.company.com ->
> AD001.COMPANY.NET).
>
> If the problem were with Windows clients, I'd certainly concede your
> point, but if your clients are *NIX boxes running MIT Kerberos, wouldn't
> this be a legitimate option?
We are in full control of DNS, but I cannot make any changes. I am a peasant
in a 300 000-people-company. Everything is administered centrally.
Even if I could, TXT has no clear notion on Windows/Active Directory.
> Apologies if I'm misunderstanding the situation.
No need to apologize!
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
