On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc <[email protected]>wrote:
> Ok, here is the set-up. We have a domain that is the main domain, it > handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS records > to delegate domain.local to our Active Directory. > > I am able to bind a machine just fine to the Active Directory without > having to change any of the client DNS settings (which poing to domain.edu). > File services work fine. I'm trying to work out single sign-on with OpenSSH > server. I can get it working to itself just fine using either hostname, > hostname.domain.local and hostname.edu where hostname is the name of the > machine that is sshing to itself. When I have two machines set-up exactly > the same, it doesn't work. > > I've sniffed the traffic and I can see that Kerberos goes through both > domains looking for a principle that matches. The problem is that the > reverse DNS always sends back hostname.domain.edu, but the service > principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to > generate the service principle. > > Is there some way to have winbind register both FQDNs as service principals > automatically on join? If not, how would I add a service principal to the > keytab that winbind generates? Or, how can I get Kerberos to use the short > version of principal that does not include domain.[edu|local]. I'mreally new > to Kerberos at this level and I've spent about a week getting this far. > > Thanks, > Robert > I've tried setting up a mapping in the domain_realm section of /etc/krb5.conf like: .domain.com = DOMAIN.LOCAL but that didn't help. Then I found for the libdefaults section: rdns = no and that seems to work. It seems to use just the short name which winbind does populate in the keytab. I don't think anyone outside of our area could spoof the short name because they won't have access to the computer object in the AD. A computer with the same name would have a different key so it wouldn't match. Is there anything I'm missing that I should be conserned about? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
