Kerberos with DNS CNAMEs

[tomwelch]

Good afternoon.

I was wondering if anyone has tried this or has it working? I’m trying it on Snow Leopard Server but would equally like to know if anyone has succeeded on Leopard Server

I have a server set up as my Open Directory Master. It has a FQDN of server01.domain.com. I have also set up some DNS CNAMEs. mail.domain.com and ical.domain.com. The server is also running Mail and iCal.

When I configure Apple Mail and iCal to connect to my server using the DNS name server01.domain.com and Kerberos for the authentication everything works perfectly. However if I edit the settings for mail to connect to mail.domain.com I get a Kerberos ticket given to me but mail will not connect. I have the exact same problem with iCal if I set the DNS name to ical.domain.com.

I guess I need to add these to a Kerberos configuration file somewhere, but thats as far as I’ve got.

Any thought would be hugely appreciated!

Thanks in advance.

Tom

[arekdreyer]

The issue you are running into is that when you kerberized your 10.5 server’s services, you (well, the OS) created service principals based on your hostname. If you issue “sudo klist -t” you’ll see principals based on your hostname, not on the CNAME.

So you’d need to create a new service principal based on the CNAME, which you could do with kadmin.local

Then you’d need to configure each service to use the principal you just created, which I haven’t done.

[Author]

Posts