> > For various dns domains: > > _kerberos TXT "EOS.NCSU.EDU" > > to map all machines ending in eos.ncsu.edu to the EOS.NCSU.EDU krb > > realm. > > > > Yes. Note that there are security issues here, and other mechanisms > are preferred. (Unless you've got secure DNS set up, that is.)
The domain to realm mapping has security issues, or -all- of this does? > > For the slave kerberos servers (pretend name is 'kslave'): > > _kerberos._udp SRV 0 0 88 kslave > > _kerberos-iv._udp SRV 0 0 750 kslave > > _krb524._udp SRV 0 0 4444 kslave > > You could use _kerberos._tcp here, as well. And, actually, you'd put > in these records for the master as well -- any server that will provide > these services. But theoretically we don't like normal clients "bothering" our master. (just a decision we made...) That's why I left those out. > > For the master kerberos server (pretend name is 'kmaster'): > > _kerberos-master._udp SRV 0 0 88 kmaster > > _kerberos-adm._udp SRV 0 0 749 kmaster > > _kpasswd._udp SRV 0 0 464 kmaster > > kerberos-adm is a tcp service, not udp. The MIT implementation doesn't > actually look for that record when running kadmin, though. (It does > look for _kerberos-adm._tcp in the password changing code, if it can't > find _kpasswd._udp. It uses _kerberos-adm._tcp to find the host(s), > and then uses UDP and the default kpasswd port number. This is a poor > heuristic and should not be relied on.) And I actually have it has tcp, I just can't type apparantly. =) I went ahead and added -adm just because the docs I read said "in the future it'll be supported", so... figured I'd get things in place for potential future krb implementations. > > Ok, something I haven't added that I just saw is: > > _kerberos._tcp SRV 0 0 0 . > > Now. I don't know what that's supposed to mean. Does that fact that > > it's > > a 0 port and a . for the host mean "we don't support tcp kerberos yet"? > > An indication to windows clients of sorts? (I only say this in the > > windows documentation) > > According to RFC 2782, "A DNS RR for specifying the location of > services (DNS SRV)": > > A Target of "." means that the service is decidedly not available > at this domain. > > So, yes, it means TCP Kerberos service isn't supported. But Windows > clients aren't the only ones that look for TCP service; MIT's got the > code too. Does 1.2.8 support that? (that's what we're running right now, I haven't decided to delve us into the 1.3 series just yet) I was to understand from some changelogs that tcp support there was a 1.3 thing. > Offhand, I think you've got them all. > > DNS should be used for krb4 if it's compiled in and there's no data for > the realm in the other config files. Sweet! Let me make sure I understand the realm mappings 100%. My understand is that a default_realm under libdefaults makes it so the domain -> realm mappings aren't that necessary. IE, if I'm on ghidora.unity.ncsu.edu, and my krb5.conf says my default_realm is EOS.NCSU.EDU, then I don't need the mapping to say unity.ncsu.edu = EOS.NCSU.EDU... right? Daniel -- /\\\----------------------------------------------------------------------///\ \ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// / \_\\\ North Carolina State University - Systems Programmer ///_/ \\\ Information Technology <IT> /// """--------------------------------------------------------------""" ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
