I'm trying to figure out what all of the current (and future supported) SRV records for Kerberos are, and some meanings here and there.
So here's the type of entries I have:
For various dns domains:
_kerberos TXT "EOS.NCSU.EDU"
to map all machines ending in eos.ncsu.edu to the EOS.NCSU.EDU krb realm.
Yes. Note that there are security issues here, and other mechanisms are preferred. (Unless you've got secure DNS set up, that is.)
For the slave kerberos servers (pretend name is 'kslave'): _kerberos._udp SRV 0 0 88 kslave _kerberos-iv._udp SRV 0 0 750 kslave _krb524._udp SRV 0 0 4444 kslave
You could use _kerberos._tcp here, as well. And, actually, you'd put in these records for the master as well -- any server that will provide these services.
For the master kerberos server (pretend name is 'kmaster'): _kerberos-master._udp SRV 0 0 88 kmaster _kerberos-adm._udp SRV 0 0 749 kmaster _kpasswd._udp SRV 0 0 464 kmaster
kerberos-adm is a tcp service, not udp. The MIT implementation doesn't actually look for that record when running kadmin, though. (It does look for _kerberos-adm._tcp in the password changing code, if it can't find _kpasswd._udp. It uses _kerberos-adm._tcp to find the host(s), and then uses UDP and the default kpasswd port number. This is a poor heuristic and should not be relied on.)
Ok, something I haven't added that I just saw is:
_kerberos._tcp SRV 0 0 0 .
Now. I don't know what that's supposed to mean. Does that fact that it's
a 0 port and a . for the host mean "we don't support tcp kerberos yet"?
An indication to windows clients of sorts? (I only say this in the
windows documentation)
According to RFC 2782, "A DNS RR for specifying the location of services (DNS SRV)":
A Target of "." means that the service is decidedly not available at this domain.
So, yes, it means TCP Kerberos service isn't supported. But Windows clients aren't the only ones that look for TCP service; MIT's got the code too.
Also, are the other records that I'm missing/don't know about? Are there
ones above that absolutely nothing uses? How do you manage to tell krb4
to use dns lookups instead of krb.conf and krb.realms?
Offhand, I think you've got them all.
DNS should be used for krb4 if it's compiled in and there's no data for the realm in the other config files.
Ken
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
