[Samba] Reverse DNS, Kerberos, and Samba4 as a DC

Andrew Bartlett abartlet at samba.org
Sun Sep 19 15:53:23 MDT 2010 

On Sun, 2010-09-19 at 00:34 +0200, Michael Wood wrote:
> On 15 September 2010 20:39, Alex Waite <awaite at mcw.edu> wrote:
> > Hey everyone,
> >    I'm one of those crazy people willing to try setting up Samba4 alpha in a
> > small production environment as a DC.  I've followed the Samba4 HowTo (which
> > is excellent by the way) and have a domain setup and functioning in a test
> > environment.
> >    My production network, however, is not quite as nice as my test network.
> >  I have convinced IT (I work for a group of research labs, independent of
> > the main IT group here) to delegate control of my department's subdomain to
> > a DNS server I control.  However, rDNS has turned out to be a real sticking
> > point.  Subnets are setup geographically here and I cannot have an entire
> > subnet assigned to my department.  I've brought up using Classless
> > in-addr.arpa. delegation (RFC 2317) or setting up our own VLAN, but movement
> > has been slow on these options.
> >    I've continued researching and it seems that it may be possible to setup
> > Kerberos without rDNS.  I'm having a difficult time finding hard information
> > on this, so I wanted to ask the Samba community what they know about this,
> > and if it's possible configure Kerberos sans-rDNS to function correctly in a
> > Samba4 driven domain.
> >    Thank you to everyone for their hard work on this project, and for taking
> > the time to write such good documentation.  It really is quite helpful.
> 
> I'm not sure reverse DNS is actually important for Kerberos to work.
> The samba4 provision script does not even set up reverse DNS.
> 
> I've Cc'ed samba-technical for a better chance at an authoritative answer.

The use of reverse DNS for Kerberos can introduce security holes and
Windows does not use it in that way.  However, I think MIT Kerberos
might, if you are intending to use unix hosts.  (It may also have
options to turn this off). 

(This security issue can be solved in various ways, Windows chose to do
so by putting the info about the alias names of a host in the KDC
database - ie AD). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100920/3187b58a/attachment-0001.pgp>

More information about the samba mailing list