Kerberos in a setup with several A-records to the same IP-address
Hello all,
allow me to contact the enterprise list (Cc: debian-edu), because here
are probably some experts around that can help with the following issue:
When working on the integration of Kerberos for debian-edu, I
encountered the following problem:
My DNS provides several A-records for the IP-address of my KDC (which
provides some more services), i.e. the host command returns:
root@tjener:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
2.2.0.10.in-addr.arpa domain name pointer kerberos.intern.
2.2.0.10.in-addr.arpa domain name pointer ldap.intern.
2.2.0.10.in-addr.arpa domain name pointer domain.intern.
2.2.0.10.in-addr.arpa domain name pointer postoffice.intern.
2.2.0.10.in-addr.arpa domain name pointer syslog.intern.
There are host and service tickets for tjener.intern only.
If I try to fetch a service ticket now, in 5 of 6 cases I get an error
in the logs because a principal like nfs/syslog.intern@INTERN is
missing. Only if the KDC is asked (by chance (?)) for
nfs/tjener.intern@INTERN, things work as they should. (Some more
detail here: <URL:http://lists.debian.org/debian-edu/2011/01/msg00041.html>)
My questions are now:
Can I use several A-records in combination with Kerberos and if yes, how?
Is there a commen way of setting up the (Kerberos-) system with regard
to the DNS, i.e. are there some "best practices" or recommendations?
Many thanks in advance,
Andi
Reply to: