Remember that the way a realm is determined for a cell is by obtaining the list of vldb servers for the cell, choosing the first server off the list and then performing a domain to realm mapping on the server name. The cell name is not used for this.
Also, the use of TXT records to determine which realm a service belongs to is insecure and is disabled by default in MIT Kerberos. You would need to explicitly enable this functionality in your krb5.ini file in order to use it. Please see the Security Considerations text from the long expired draft: http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This draft is expired because those parts that could be safely implemented were incorporated into RFC4120 and those that could not be were dropped. Jeffrey Altman Adam Megacz wrote: > Hrm, I'm seeing different behavior from the same aklog (OpenAFS > 1.4.1-rc5) on Windows versus Unix (MacOS+Linux) regarding locating > KDC's using DNS entries. > > Using totally uncustomized krb5.conf's on all machines, I can do this > on Linux and MacOS: > > kinit [EMAIL PROTECTED] > aklog -c research.cs.berkeley.edu > > However, on Windows, it seems that aklog can't properly figure out > that research.cs.berkeley.edu is its own kerberos realm (the > _kerberos.research.cs.berkeley.edu TXT record exists, but is not being > used): > > > kinit [EMAIL PROTECTED] > Password for [EMAIL PROTECTED]: > > > aklog -d -c research.cs.berkeley.edu > Authenticating to cell research.cs.berkeley.edu. > Getting v5 tickets: afs/[EMAIL PROTECTED] > Getting v5 tickets: [EMAIL PROTECTED] > Kerberos error code returned by get_cred: -1765328377 > aklog.exe: Couldn't get research.cs.berkeley.edu AFS tickets: > > Any ideas? My ultimate goal is to be able to do this without users > having to edit their krb5.conf's. > > - a >
smime.p7s
Description: S/MIME Cryptographic Signature
