CNAMEs instead of explicit host names

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CNAMEs instead of explicit host names

Cory Albrecht
Am I going to run into any trouble if use a CNAME that redirects to my KDCs
actual hostnames instead of explicitly listing all of them in krb5.conf on
the clients? That way I wouldn't have to copy new krb5.confs to the client
hosts, just update the DNS entry.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: CNAMEs instead of explicit host names

Karl Kornel
On 8/24/18, 1:48 PM, "[hidden email] on behalf of Cory Albrecht" <[hidden email] on behalf of [hidden email]> wrote:

    Am I going to run into any trouble if use a CNAME that redirects to my KDCs
    actual hostnames instead of explicitly listing all of them in krb5.conf on
    the clients? That way I wouldn't have to copy new krb5.confs to the client
    hosts, just update the DNS entry.
    ________________________________________________
    Kerberos mailing list           [hidden email]
    https://mailman.mit.edu/mailman/listinfo/kerberos
   
We do something similar; check out the krb5.conf linked at https://uit.stanford.edu/service/kerberos/unix_install

krb5auth[1,2,3].stanford.edu are CNAMEs to whichever KDC we want people to query first/second/third.  

--
A. Karl Kornel | System Administrator
Research Computing | Stanford University
+1 (650) 736-9327


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos