[Samba] Reverse DNS, Kerberos, and Samba4 as a DC

ERIK eric at bootz.us
Mon Sep 20 07:11:49 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is definitely a difficulty on my end as well, I would like to
follow this thread if it happens to move over to a kerberos list.

On 09/19/2010 05:53 PM, Andrew Bartlett wrote:
> On Sun, 2010-09-19 at 00:34 +0200, Michael Wood wrote:
>> On 15 September 2010 20:39, Alex Waite <awaite at mcw.edu> wrote:
>>> Hey everyone,
>>>    I'm one of those crazy people willing to try setting up Samba4 alpha in a
>>> small production environment as a DC.  I've followed the Samba4 HowTo (which
>>> is excellent by the way) and have a domain setup and functioning in a test
>>> environment.
>>>    My production network, however, is not quite as nice as my test network.
>>>  I have convinced IT (I work for a group of research labs, independent of
>>> the main IT group here) to delegate control of my department's subdomain to
>>> a DNS server I control.  However, rDNS has turned out to be a real sticking
>>> point.  Subnets are setup geographically here and I cannot have an entire
>>> subnet assigned to my department.  I've brought up using Classless
>>> in-addr.arpa. delegation (RFC 2317) or setting up our own VLAN, but movement
>>> has been slow on these options.
>>>    I've continued researching and it seems that it may be possible to setup
>>> Kerberos without rDNS.  I'm having a difficult time finding hard information
>>> on this, so I wanted to ask the Samba community what they know about this,
>>> and if it's possible configure Kerberos sans-rDNS to function correctly in a
>>> Samba4 driven domain.
>>>    Thank you to everyone for their hard work on this project, and for taking
>>> the time to write such good documentation.  It really is quite helpful.
>>
>> I'm not sure reverse DNS is actually important for Kerberos to work.
>> The samba4 provision script does not even set up reverse DNS.
>>
>> I've Cc'ed samba-technical for a better chance at an authoritative answer.
> 
> The use of reverse DNS for Kerberos can introduce security holes and
> Windows does not use it in that way.  However, I think MIT Kerberos
> might, if you are intending to use unix hosts.  (It may also have
> options to turn this off). 
> 
> (This security issue can be solved in various ways, Windows chose to do
> so by putting the info about the alias names of a host in the KDC
> database - ie AD). 
> 
> Andrew Bartlett
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMl12VAAoJEERE2zkyxRdk0mgH/1Pw6j6O7LavxzZlDgt6s/oh
mWL2V4xSKwbCrPnnGjmn+TQGbXXLUbxSy7v7C4cBJSE6P4+1Q5QAzWGvL8CE/3Qz
WqoYlbofE3Omoeu3ZDZKyeK7GGP46mBNlGRfLhyf5GvuA5T2nT1kWqpcFE/kvWYu
VtuG14DmzZ816vIy+XbKIsaYU9r0TE2kl0CwvwlnQ138zWPiILY7rD65wG4I7odV
u8AbjjKUlG2idCde8KnCeaLa/tSt/uI1VVlNyUy3NeEHVYh4qM3HvScAzJ6swCAf
AOyVqSilWvMCiR7uG9IVeR62worU28TRWQxt7cpD/H5alv8brjRqVfs4/12fVhA=
=i4rz
-----END PGP SIGNATURE-----

More information about the samba mailing list