[Samba] Reverse DNS, Kerberos, and Samba4 as a DC
ERIK
eric at bootz.us
Mon Sep 20 07:11:49 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is definitely a difficulty on my end as well, I would like to
follow this thread if it happens to move over to a kerberos list.
On 09/19/2010 05:53 PM, Andrew Bartlett wrote:
> On Sun, 2010-09-19 at 00:34 +0200, Michael Wood wrote:
>> On 15 September 2010 20:39, Alex Waite <awaite at mcw.edu> wrote:
>>> Hey everyone,
>>> I'm one of those crazy people willing to try setting up Samba4 alpha in a
>>> small production environment as a DC. I've followed the Samba4 HowTo (which
>>> is excellent by the way) and have a domain setup and functioning in a test
>>> environment.
>>> My production network, however, is not quite as nice as my test network.
>>> I have convinced IT (I work for a group of research labs, independent of
>>> the main IT group here) to delegate control of my department's subdomain to
>>> a DNS server I control. However, rDNS has turned out to be a real sticking
>>> point. Subnets are setup geographically here and I cannot have an entire
>>> subnet assigned to my department. I've brought up using Classless
>>> in-addr.arpa. delegation (RFC 2317) or setting up our own VLAN, but movement
>>> has been slow on these options.
>>> I've continued researching and it seems that it may be possible to setup
>>> Kerberos without rDNS. I'm having a difficult time finding hard information
>>> on this, so I wanted to ask the Samba community what they know about this,
>>> and if it's possible configure Kerberos sans-rDNS to function correctly in a
>>> Samba4 driven domain.
>>> Thank you to everyone for their hard work on this project, and for taking
>>> the time to write such good documentation. It really is quite helpful.
>>
>> I'm not sure reverse DNS is actually important for Kerberos to work.
>> The samba4 provision script does not even set up reverse DNS.
>>
>> I've Cc'ed samba-technical for a better chance at an authoritative answer.
>
> The use of reverse DNS for Kerberos can introduce security holes and
> Windows does not use it in that way. However, I think MIT Kerberos
> might, if you are intending to use unix hosts. (It may also have
> options to turn this off).
>
> (This security issue can be solved in various ways, Windows chose to do
> so by putting the info about the alias names of a host in the KDC
> database - ie AD).
>
> Andrew Bartlett
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMl12VAAoJEERE2zkyxRdk0mgH/1Pw6j6O7LavxzZlDgt6s/oh
mWL2V4xSKwbCrPnnGjmn+TQGbXXLUbxSy7v7C4cBJSE6P4+1Q5QAzWGvL8CE/3Qz
WqoYlbofE3Omoeu3ZDZKyeK7GGP46mBNlGRfLhyf5GvuA5T2nT1kWqpcFE/kvWYu
VtuG14DmzZ816vIy+XbKIsaYU9r0TE2kl0CwvwlnQ138zWPiILY7rD65wG4I7odV
u8AbjjKUlG2idCde8KnCeaLa/tSt/uI1VVlNyUy3NeEHVYh4qM3HvScAzJ6swCAf
AOyVqSilWvMCiR7uG9IVeR62worU28TRWQxt7cpD/H5alv8brjRqVfs4/12fVhA=
=i4rz
-----END PGP SIGNATURE-----
More information about the samba
mailing list