On Wed, Jan 28, 2009 at 5:38 AM, Morten Sylvest Olsen <[email protected]> wrote: > Hi, > > I have an issue integrating Kerberos to AD. I believe they have an > error in their DNS setup (based on the amount of trouble I've had > through the years with Active Directory and DNS, yuck), but I'd like a > second opinion, before I yell at the AD admins. > > The problem is that a number of AD servers in a sub-domain/sub-realm > resolves to a name in a higher-level domain when doing a reverse > lookup. > > Ie. ad1.ext.domain.org -> 1.2.3.4 > When doing a reverse lookup on 1.2.3.4 I'd get ad1.domain.org > > This fools Kerberos and it tries to get a key for ldap/ad1.domain.org > instead of ldap/ad1.ext.domain.org (MIT Kerberos 1.6.1 on redhat linux > 5) > > I can workaround by messing with /etc/hosts, of course. > > Does anyone know whether this is a "supported" configuration for > Kerberos?
Hi Morten, It's not clear to me what component is doing a reverse lookup. What software is actually getting the name mixed up? Is it an LDAP client? What LDAP client with what Kerberos implementation? What exactly is the hostname that you are using with said client? You're not using an IP address where an FQDN hostname should be right? I'm not aware of any software that uses a reverse lookup to change the hostname before composing the principal name used to request a ticket (I would not be surprised if such a thing existed but if it did I would consider it broken). Of course if you supplied an IP address instead, the client would have to do a reverse lookup and that would certainly explain the behavior you see (which I think I might still consider broken). Or perhaps the client cannot resolve the hostname that was supplied and there is some fallback code that is doing a reverse lookup (which again I think I might still consider broken)? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
