We currently have an existing Active Directory domain for our windows
network, and I would like to setup Kerberos on the Unix side to service
those systems. (I would simply use windows as the KDC, but the username
convention is "firstname<space>lastname" which is obviously inherently
incompatible with *nix systems.
So lets say I have a setup like this:
userdom.org -- This is the domain where all the users and workstations live.
srvdom.org -- This is where all the servers (including unix servers) live.
[libdefaults]
default_realm = KRB.SRVDOM.ORG
[realms]
KRB.SRVDOM.ORG = {
kdc = krb1.SRVDOM.org
admin_server = kr1.SRVDOM.org
default_domain = srvdom.org
}
[domain_realm]
SRVDOM.org = KRB.SRVDOM.ORG
.SRVDOM.org = KRB.SRVDOM.ORG
With a set of existing servers like so:
server1.srvdom.org
server2.srvdom.org
with the above krb5.conf file.
Now, if I set this up, and there are no specific DNS entries to point to the
KDC available, but rather I use the rather less scalable method of
individually pointing each unix system at the correct KDC, will that work?
Or will this cause a nightmare of conflict between AD and the Unix Kerberos
implementation? I'm not intimitely familiar with all of the kerberos
protocols...is there any broadcasting going on, particularly from
windows...that might cause nightmares with this? Particularly if a windows
client were to attempt to authenticate against a service on one of the unix
systems?
What, if anything, do I need to be concerned about regarding the users
actually attempting to authenticate from the userdom.org domain? Do I need
to have domain_realm mappings for that domain as well?
If I have to, I can setup a rogue DNS subdomain of krb5.srvdom.org and put
everything in there, and subvert the existing dns infrastructure to support
it by using dnscache to override where the servers look for dns and reverse
information. But that creates a really ugly situation, especially for
reverse lookups. So if I can do this, and not screw up the windows AD
implementation, or the clients that would be using it, that's perfect.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
