Hi folks, One of the sites I maintain uses DNS SRV resource records to allow Debian squeeze workstations to discover three MIT Kerberos key servers. Like with all SRV records, it's possible to alter the priority value, but my question is, does this ever make a difference?
I suppose it depends on the applications being used. In this case I've got the krb5-config, krb5-user, kstart, libpam-krb5, libnss-ldapd and nslcd packages installed on the workstations. krb5.conf has no KDC entries configured, nslcd.conf includes "uri DNS", and it all works fine. This particular site has three office locations, each with a local KDC. For the sake of redundancy, I used to have three SRV records, one for each KDC, listed in the internal DNS view for each office. I started out with each SRV record having the same priority. The problem with this configuration was that, if one particular location got cut off from the others, people at that site would have problems logging in. My guess was that the workstations were trying to contact the remote KDCs instead of the local one. Indeed, the solution was simply to remove the two SRV records for the remote KDCs. However, this means no redundancy. So I tried an experiment: use three SRV records, but give the one for the local KDC the highest priority. Unfortunately, this way the system behaves just like in the first situation. So, now I'm back to using one SRV RR per location. Any comments? Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
