That's part of the default krb5.conf, specifying kdc = hostname, as well
as master_kdc, etc. for ever host that serves as KDC. I do have SRV
records in place, and I know that from our old implementation that SRV
lookups DO work the way they're supposed to, but I'm not paid enough to
argue with execs. :P
I suppose I could just implement it in the way that actually works and
hope no one notices.
- Ben
On 8/30/12 7:06 PM, Brandon Allbery wrote:
On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <[email protected]
<mailto:[email protected]>> wrote:
While this is true, people who get paid a lot more than I do
decided we shouldn't be pointing authentication to individual
machines and instead use domain lookups, which winbind does
nicely. I was able to replicate the old functionality by pointing
the pam stack directly to dc01.domain.com
<http://dc01.domain.com>, but that defeats the purpose of having a
decentralized authentication system.
Any Kerberos implementation worth its salt should be able to use SRV
lookups, which Active Directory supports, to autodiscover the KDCs.
Moreover, even when explicit specification is necessary, you do not
normally specify them in the PAM stack but in /etc/krb5.conf.
Where (which module) and why are you having to specify KDC machines
within/as part of the PAM stack?
--
brandon s allbery [email protected] <mailto:[email protected]>
wandering unix systems administrator (available) (412) 475-9364 vm/sms
