[Samba] Reverse DNS, Kerberos, and Samba4 as a DC

[Aaron Solochek]

On 09/18/2010 06:34 PM, Michael Wood wrote:
> On 15 September 2010 20:39, Alex Waite <awaite at mcw.edu> wrote:
>> Hey everyone,
>>    I'm one of those crazy people willing to try setting up Samba4 alpha in a
>> small production environment as a DC.  I've followed the Samba4 HowTo (which
>> is excellent by the way) and have a domain setup and functioning in a test
>> environment.
>>    My production network, however, is not quite as nice as my test network.
>>  I have convinced IT (I work for a group of research labs, independent of
>> the main IT group here) to delegate control of my department's subdomain to
>> a DNS server I control.  However, rDNS has turned out to be a real sticking
>> point.  Subnets are setup geographically here and I cannot have an entire
>> subnet assigned to my department.  I've brought up using Classless
>> in-addr.arpa. delegation (RFC 2317) or setting up our own VLAN, but movement
>> has been slow on these options.
>>    I've continued researching and it seems that it may be possible to setup
>> Kerberos without rDNS.  I'm having a difficult time finding hard information
>> on this, so I wanted to ask the Samba community what they know about this,
>> and if it's possible configure Kerberos sans-rDNS to function correctly in a
>> Samba4 driven domain.
>>    Thank you to everyone for their hard work on this project, and for taking
>> the time to write such good documentation.  It really is quite helpful.
> 
> I'm not sure reverse DNS is actually important for Kerberos to work.
> The samba4 provision script does not even set up reverse DNS.
> 
> I've Cc'ed samba-technical for a better chance at an authoritative answer.
> 

Reverse DNS is certainly important for things like kerberized ssh.  reverse DNS
is used to look up the host key for the machine you're connecting to.

-Aaron