dns_lookup_realm
Alexander Bokovoy
ab at samba.org
Thu Nov 16 10:24:43 UTC 2017
On to, 16 marras 2017, Andrew Bartlett via samba-technical wrote:
> On Wed, 2017-11-15 at 10:42 -0800, Richard Sharpe wrote:
> > On Wed, Nov 15, 2017 at 9:54 AM, Andrew Bartlett via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> > > On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> > > wrote:
> >
> > [deletia]
> > > > Hi Ralph, would you like to try that again with the Samba recommended
> > > > krb5.conf ?
> > > >
> > > > Which is:
> > > >
> > > > [libdefaults]
> > > > default_realm = RIVERSIDE.SITE
> > > > dns_lookup_realm = false
> > > > dns_lookup_kdc = true
> > > >
> >
> > Wait. Is this recommended just for Samba as an AD DC or for Samba as a
> > member server or both?
> >
> > AFAIK, you really do not want dns_lookup_realm = false for Samba as a
> > member server, but if I am wrong it would be good to know why.
>
> dns_lookup_realm refers to an interesting hack where Heimdal (only?)
> will do a lookup for a magic TXT DNS record (_kerberos) hoping to find
> the kerberos realm for the DNS domain.
MIT Kerberos does the same.
> AD does this differently (referrals on the DC side), and doesn't have
> the realm record.
Yes, AD doesn't support TXT DNS record and everything is done via
clients talking to their domain controller, hoping to get a referral
back, if needed.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list