On Thu, 31 May 2007 13:48:13 -0400
Ken Raeburn <[EMAIL PROTECTED]> wrote:
> > I want to fix this but I don't know what the correct behavior is in
> > this scenario.
> >
> > Can someone tell me why this failed and what the correct behavior
> > should be?
>
> Usually the client is set up to talk to a recursive resolver that'll
> talk to the other nameservers. It sounds like it's not doing that,
> or it's getting the wrong results.
>
> A couple things you might check just in case, though they're probably
> not the problem: (1) IPv6-only KDCS?
Well I left out the AAAA queries that were failing as well.
> (2) Does dns2.example.com
> really have the KDC addresses?
Mmm, no. At least it cannot resolve the hostnames of KDCs it's supposed
to be an authority for.
Actually I'm going to try just putting an IP in the krb5.conf like:
[realms]
EXAMPLE.COM = {
kdc = 192.168.1.2
}
I don't understand how a DNS server can answer an SRV record and not be
able to resolve the names it returns. We're either using a bad DNS server
or it must expect the client to recur on authority records 3 levels deep.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
