1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • define own SRV-record

    From Stefan Kania@21:1/5 to All on Wed Feb 26 19:39:19 2025
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------GbCsLc07SgYvhfYRaJVFRpKC
    Content-Type: multipart/mixed; boundary="------------xOZ0RcZVOOR6gGHRgflH0lzc"

    --------------xOZ0RcZVOOR6gGHRgflH0lzc
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    SGkgdG8gYWxsLA0KDQpJJ20gaGF2aW5nIHRoZSBmb2xsb3dpbmcgcHJvYmxlbToNCg0KSSBz ZXQgdXAgYW4gb3BlbmxkYXAgd2l0aCBrZXJiZXJvcywgbm93IEkgd2FudCB0byBhZGQgdGhl IHNydi1yZWNvcmRzIA0KZm9yIEtlcmJlcm9zLCBidXQgYXMgRE5TLVNlcnZlciB3ZSBNVVNU IHVzZSBhIEROUy1TZXJ2ZXIgZnJvbSBBY3RpdmUgDQpEaXJlY3RvcnkuIFNvIEkgY2FuJ3Qg YWRkIGEgc3J2LXJlY29yZCBfa2VyYmVyb3MuX3RjcCwgYmVjYXVzZSB0aGUgDQpkb21haW4g Y29udHJvbGxlciBvZiB0aGUgQUQgYXJlIGtlZXBpbmcgdGhlc2UgcmVjb3Jkcy4gU28gSSB3 b3VsZCBsaWtlIA0KdG8gYWRkIG15IG93biBzcnYtcmVjb3JkIGxpa2UgX29sa2VyYmVyb3Mu X3RjcCBzbyB0aGF0IEkgY2FuIHVzZSB0aGVzZSANCnNydi1yZWNvcmRzIGZvciBrcmI1LmNv bmYuIEknbSBhbHJlYWR5IGRvaW5nIHRoaXMgZm9yIHNzc2QsIGJlY2F1c2UgDQp0aGVyZSBJ IGNhbiBjb25maWd1cmUgdGhlIG5hbWUgb2YgdGhlIHNydi1yZWNvcmQuIENhbiBJIGRvIHRo ZSBzYW1lIGluIA0Ka3JiNS5jb25mPyBJZiB5ZXMgd2hhdCBkbyBJIGhhdmUgdG8gZG8/DQoN ClRoYW5rcw0KDQpTdGVmYW4NCg0K
    --------------xOZ0RcZVOOR6gGHRgflH0lzc--

    --------------GbCsLc07SgYvhfYRaJVFRpKC--

    -----BEGIN PGP SIGNATURE-----

    wnsEABYIACMWIQRsT9azWR5AolaZQIFS9tTdG7aKtQUCZ79f1wUDAAAAAAAKCRBS9tTdG7aKtV+1 AP9QxOarYE191FK9G3si2BCXKScBkdzZ9G4x3M9f1Azj2AEAmM9D0Np0h3F2sbY1oiiUtLH/jE/4 7+YHhq2oWKxhVAE=
    =i5q4
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeffrey Hutzelman@21:1/5 to Stefan Kania on Wed Feb 26 13:46:09 2025
    Copy: [email protected] (Jonathan Calmels via Kerberos)

    No; the names of these records are fixed by the standards. You can hand-configure the server names in krb5.conf instead of using DNS SRV
    records. However, even then, your Kerberos realm should not have the same
    name as a Windows domain -- that's essentially having two realms with the
    same name, which will not work out well.

    On Wed, Feb 26, 2025, 13:40 Stefan Kania <[email protected]> wrote:

    Hi to all,

    I'm having the following problem:

    I set up an openldap with kerberos, now I want to add the srv-records
    for Kerberos, but as DNS-Server we MUST use a DNS-Server from Active Directory. So I can't add a srv-record _kerberos._tcp, because the
    domain controller of the AD are keeping these records. So I would like
    to add my own srv-record like _olkerberos._tcp so that I can use these srv-records for krb5.conf. I'm already doing this for sssd, because
    there I can configure the name of the srv-record. Can I do the same in krb5.conf? If yes what do I have to do?

    Thanks

    Stefan

    ________________________________________________
    Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simo Sorce@21:1/5 to Stefan Kania on Wed Feb 26 14:11:20 2025
    To: [email protected]

    You are barking up the wrong tree because your request also means you
    intend to use the same kerberos realm for two distinct realms, and this
    will not work and end up in pain.
    Get your own subdomain (or a completely different second level domain),
    and then you will be able to create your own records there.

    On Wed, 2025-02-26 at 19:39 +0100, Stefan Kania wrote:
    Hi to all,

    I'm having the following problem:

    I set up an openldap with kerberos, now I want to add the srv-records
    for Kerberos, but as DNS-Server we MUST use a DNS-Server from Active Directory. So I can't add a srv-record _kerberos._tcp, because the
    domain controller of the AD are keeping these records. So I would like
    to add my own srv-record like _olkerberos._tcp so that I can use these srv-records for krb5.conf. I'm already doing this for sssd, because
    there I can configure the name of the srv-record. Can I do the same in krb5.conf? If yes what do I have to do?

    Thanks

    Stefan


    --
    Simo Sorce
    Distinguished Engineer
    RHEL Crypto Team
    Red Hat, Inc

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)