locked
Configuring trust with a Unix Kerberos realm without manual configuration of Windows hosts RRS feed

  • Question

  • Dear Colleagues,

    I have been able to ssh from a Windows host (using Centrify PuTTY) to a FreeBSD host using a cross-realm trust between a w2k domain and a Heimdal realm.

    However, I had to manually configure the Windows host for this to work: "ksetup /addkdc MY.UNIX.REALM server1 server2".

    Do you know how I can avoid manually configuring every Windows host before I can use the trust? The relevant _kerberos SRV records are
    set up for the Unix domain, but somehow Windows wouldn't look up the information published in DNS.

    TIA for any input.

    Thursday, January 27, 2011 3:56 AM

All replies

  • I forget. "ksetup /?" says that

    /AddKdc <RealmName> [KdcName]
            Defines a KDC entry for the given realm.
            If KdcName omitted, DNS may be used to locate KDCs.

    But somehow when I omit the kdcname, this "may" never happens. If you have ever made DNS lookups work, please share a success story. http://technet.microsoft.com/en-us/library/cc783391%28WS.10%29.aspx says, "Kerberos can use DNS to locate KDCs, using only the realm name but must be specially configured to do so". What exactly special configuration is required?

    Thursday, January 27, 2011 3:59 AM