MIT krb5 has no "site" support.

I have a problem. In Samba, I'm implementing awareness
of Microsoft AD "site" support. This is a way of grouping
AD domain controllers so into "sites" along with clients,
based on IP address.

An administrator groups a range of client IP networks into
a "site", and KDC's whose IP addresses are on these networks
are "local" to that site and are contacted by preference for
a given realm.

On startup, a client does a DNS query for AD servers of the form :
_ldap._tcp.dc._msdcs.<DnsDomainName>

A CLDAP query is then done to one of these IP addresses, and
inside the reply is the "site" string for that client (all
AD DC's in a domain replicate the site information, so it can
look up what site any client is in from it's IP address).

The client then does a DNS query of the form :

_kerberos._tcp.<site>._sites.dc._msdcs.<DnsDomainName>

Only KDC's local to that client's site will register that
name, so the client then has a local KDC to talk to (no
nasty WAN links needed :-).

My problem - I can replicate all the above inside the
Samba code, but as soon as I drop into the MIT krb5
code I have no way to associate an arbitrary IP address
as the particular KDC of the realm I'm in.

The MIT libraries do their own DNS queries, and I'm reduced
to writing out a custom krb5.conf file and setting an env.
variable to force them to go where I need them to go (local
to my site) in order to stop them potentially doing remote
KDC queries.

So, I either need MIT to add "site" support into the DNS
queries, or the ability for me to programatically associate
a given IP address with the KDC for a given realm. I don't
mind which, but I think I need one or the other.

Comments (and code patches :-) welcome !

Jeremy Allison.
Samba Team.





.

Relevant Pages

  • Re: [Fwd: Re: problem in sending AS_REQ]
    ... # use "kdc =" if realm admins haven't put SRV records into DNS ... I have used openssl program to generate the mycert.pem and key, ... server's certificate is not trusted. ... The MIT client will not send pkinit information until the server ...
    (comp.protocols.kerberos)
  • Re: Need access to Windows SBS 2003 from DOS client
    ... You have to change the Default domain controllers policy and LOWER the security level to allow DOS authentication with server 2003. ... The client and server can communicate, but the client gets an "Error ...
    (microsoft.public.windows.server.networking)
  • Re: Hidden recipient visible in OAB
    ... folder for whatever reason the outlook clients logic will go backwards to v3 ... I manually checked all the domain controllers and they all have the ... that my outlook 2003 sp2 client runs in Unicode mode so it should use the ... MSExchange\OAL Generator and regenerate the OAB. ...
    (microsoft.public.exchange.admin)
  • inter-Windows 2003/non-Windows Kerberos realm referrals [Re: Single DNS domain for Multiple
    ... > which allows a client to ask the user's KDC for a service ticket. ... If the KDC ... The client will then try that realm. ... > Windows clients and the Windows AD can do this, ...
    (comp.protocols.kerberos)
  • Re: Port 1025 RPC /Lsass.exe
    ... Clients use DNS to locate all domain controllers in domain. ... Next thing -- client will try to talk to the DC it chose. ... from command line to see which server authenticated the client. ... We have a branch office with approx 40 users. ...
    (microsoft.public.windows.server.networking)