Well previously you mentioned it was IP hardcoded, now you specify name. If the name was there, possibly someone dorked with the name in DNS, especially if you didn't use a fully qualified name and you have multiple search suffixes.
Otherwise, the only way for the client to jump to another machine would be through a referral. If you have multiple domains, you may find that straight kerberos is not as fun as you may think. I recall one kerberos integration project that went over 2 years with no production machines launched. There are some difficult problems that can be encountered and the people on that project generally found the MS people in Redmond good to work with and the MIT kerberos people a pain to work with. The onsite MS PSS/MCS people really didn't have any ideas on any of the problems. Kerberos is one of those things that most of the MS world likes to just see work, when it doesn't, there are a lot of shrugged shoulders and mumbled "I don't know"s. Not saying it is impossible, it can just be trying. Microsoft did an amazing, yes amazing, job on hiding the backend complexities of kerberos. As for pricing, hit Vintela/Quest at the end of a quarter or at the end of the fiscal year. Also check out Centrify, they are in the same space. See if you can get both companies into a bidding war. As for who is better, I think it hasn't been worked out yet. Lots of opinions both ways but no clear cut you must do it this way winner. I am friends with people on both sides of that fight. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, October 14, 2005 9:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Hi all, The linux client is configured with a host parameter in the ldap.conf file and isn't srv aware. I was running several network traces and sniffers, etc to determine what exactly was going on but the dumps came up empty. But, I think the issue has "gone" away but not sure why. On another note: I did look into vintela before we decided to go with ldap but they were extremly expense. We are heading to kerberos with the rh 3.0 upgrade and I cannot wait for that! Thanks for you input! Thank you for your time! Jennifer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem This assumes that the client knows how to retrieve SRV records though. The first thing I would say to do in troubleshooting this is to do drum roll please..... Network trace, yeah you knew I was going to pull that one didn't you? Another thing to do would be to use proper authentication with Kerberos. Vintela and Centrify have products to help this be much less painless than it can be. Joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, October 14, 2005 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well.... To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.<domain>.<tld> To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.<site name>._sites.dc._msdcs.<domain>.<tld> If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security R&B Distribution 3400 E Walnut Street Colmar, PA 18915 ************************************************************************ **** ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ **************************************************************************** ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
