dns_lookup_realm
Andrew Bartlett
abartlet at samba.org
Wed Nov 15 18:58:57 UTC 2017
On Wed, 2017-11-15 at 10:42 -0800, Richard Sharpe wrote:
> On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> > wrote:
>
> [deletia]
> > > Hi Ralph, would you like to try that again with the Samba recommended
> > > krb5.conf ?
> > >
> > > Which is:
> > >
> > > [libdefaults]
> > > default_realm = RIVERSIDE.SITE
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> > >
>
> Wait. Is this recommended just for Samba as an AD DC or for Samba as a
> member server or both?
>
> AFAIK, you really do not want dns_lookup_realm = false for Samba as a
> member server, but if I am wrong it would be good to know why.
dns_lookup_realm refers to an interesting hack where Heimdal (only?)
will do a lookup for a magic TXT DNS record (_kerberos) hoping to find
the kerberos realm for the DNS domain.
AD does this differently (referrals on the DC side), and doesn't have
the realm record.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list