Kerberized services only work on AD DNS subdomain

peet1

15 years ago

Hello all, I'm experiencing an issue with kerberos authentication that doesn't seem quite right. I my servers are bound in a Cylinder of Destiny to our OD and AD with a grip of augment records for our users. My servers are configured with two DNS domains. *.jour.umt.edu has been our legacy connection since ... well as long as we've had DNS. Our machines are bound into an AD @ gs.umt.edu. Consequently our server's primary DNS has been jsrv06.jour.umt.edu but we also get jsrv06.gs.umt.edu by virtue of being bound to the domain. Our OD is correctly configured to not have the KDC running. My servers are bound and kerberized correctly and I can make a successful kerberos auth and connections via afp/smb as long as I connect to the AD DNS of the server. i.e jsrv06.gs.umt.edu. Connections to jsrv06.jour.umt.edu fail back to standard authentication. my krb5.keytab has principals for both domains [code]27 afpserver/jsrv06.jour.umt.edu@GS.UMT.EDU (ArcFour with HMAC/md5) 27 afpserver/jsrv06.jour.umt.edu@GS.UMT.EDU (DES cbc mode with CRC-32) 27 afpserver/jsrv06.jour.umt.edu@GS.UMT.EDU (DES cbc mode with RSA-MD5) 27 afpserver/jsrv06.jour.umt.edu@GS.UMT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 27 afpserver/jsrv06.jour.umt.edu@GS.UMT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) [/code] [code]27 afpserver/jsrv06.gs.umt.edu@GS.UMT.EDU (ArcFour with HMAC/md5) 27 afpserver/jsrv06.gs.umt.edu@GS.UMT.EDU (DES cbc mode with CRC-32) 27 afpserver/jsrv06.gs.umt.edu@GS.UMT.EDU (DES cbc mode with RSA-MD5) 27 afpserver/jsrv06.gs.umt.edu@GS.UMT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 27 afpserver/jsrv06.gs.umt.edu@GS.UMT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) [/code] I've even tried to change the kerberosPrincipal in the com.apple.AppleFileServer.plist, but that makes Kerberos authentication fail when connecting to *.jour.umt.edu [i]and[/i] *.gs.umt.edu Now I feel like a bit of an idiot here, but is this the expected behavior? I feel like there was a time when I could connect with Kerberos auth to our *.jour.umt.edu domain from a bound client. It's possible that I have this memory from using an OD user when we had a JOUR.UMT.EDU Kerberos domain. If this is expected behavior why are there jsrv06.jour.umt.edu@GS.UMT.EDU principals? thanks for taking the time to read this and as always, any help is appreciated. Thanks.Peet