Re: Kerberos configuration with external DNS server.

Thu, 27 May 2004 20:31:43 -0700 

Douglas E. Engert wrote:

> 
> sam wrote:
> 
>>Hi,
>>
>>does anyone know why I get the following error:
>>[EMAIL PROTECTED] [10:56am] [~]# kinit tillman
>>[EMAIL PROTECTED]'s Password:
>>kinit: krb5_get_init_creds: unable to reach any KDC in realm ROCK.COM
>>[EMAIL PROTECTED] [10:57am] [~]#
>>
>>I have written the following kerberos lines in a seperate DNS server:
>>
>>kerberos                CNAME 192.168.1.1
>>
>>_kerberos               IN TXT  ROCK.COM
>>_kerberos._udp          IN SRV  0 0 88 kerberos.rock.com
> 
> 
> Try 
> 
> _kerberos._udp.rock.com.  IN SRV 0 0 88 kerberos.rock.com
> 
> 
> 
> 
> 
>>_kerberos-master._udp   IN SRV  0 0 88 kerberos.rock.com
>>_kerberos-adm._tcp      IN SRV  0 0 749 kerberos.rock.com
>>_kpasswd._udp           IN SRV  0 0 464 kerberos.rock.com
> 
> 
> 
> Try nslookup
>  set type=ANY
>  _kerberos._udp.rock.com 
> 
> and see if your DNS server has the SRV records. 
>>From what I see from here, it does not. 
> 
> 
> 
>>but pinging from another machine to kerberos server is failed, I m not
>>sure if this is the problem. What is the correct way to setup DNS to
>>include kerberos configuratoin?
>>
>>Thanks
>>sam

It works now, the CNAME caused the problem. I changed the CNAME to:
kerberos        CNAME   fbsd

the fbsd is the one pointing to the kerberos server.

Now I have another question with the expiry date of the ticket.
I tried to create ticket for user with unlimited period, but klist shown 
  that it is a 1 day ticket only:

kadmin> add samwun
Max ticket life [1 day]:unlimited
Max renewable life [1 week]:unlimited
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
[EMAIL PROTECTED]'s Password:
Verifying - [EMAIL PROTECTED]'s Password:
kadmin> exit
[EMAIL PROTECTED] [11:13am] [~]# kinit samwun
[EMAIL PROTECTED]'s Password:
[EMAIL PROTECTED] [11:13am] [~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: [EMAIL PROTECTED]

   Issued           Expires          Principal
May 28 11:13:15  May 28 21:13:15  krbtgt/[EMAIL PROTECTED]
[EMAIL PROTECTED] [11:13am] [~]#

I can I make the Expiry date as unlimited? If it doesn't make sense to 
kerberos, what should be a good policy for assigning the valid  period 
for each user?

Thanks
Sam.
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to