On Thu, 31 May 2007 13:48:13 -0400 Ken Raeburn <[EMAIL PROTECTED]> wrote:
> > I want to fix this but I don't know what the correct behavior is in > > this scenario. > > > > Can someone tell me why this failed and what the correct behavior > > should be? > > Usually the client is set up to talk to a recursive resolver that'll > talk to the other nameservers. It sounds like it's not doing that, > or it's getting the wrong results. > > A couple things you might check just in case, though they're probably > not the problem: (1) IPv6-only KDCS? Well I left out the AAAA queries that were failing as well. > (2) Does dns2.example.com > really have the KDC addresses? Mmm, no. At least it cannot resolve the hostnames of KDCs it's supposed to be an authority for. Actually I'm going to try just putting an IP in the krb5.conf like: [realms] EXAMPLE.COM = { kdc = 192.168.1.2 } I don't understand how a DNS server can answer an SRV record and not be able to resolve the names it returns. We're either using a bad DNS server or it must expect the client to recur on authority records 3 levels deep. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos