Can I use CNAMEs in my Krb5.conf file

CXMelga

New Member
Joined
Apr 21, 2020
Messages
3
Reaction score
0
Credits
0
Hello can someone please help me with the following question

if I have a Krb5.conf file like the following

[libdefaults]
default_realm = MyDomain.Pri
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
forwardable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DEV.LOCAL = {
kdc = DC01.MyDomain.Pri
kdc = DC02.MyDomain.Pri
kdc = SDC03.MyDomain.Pri
admin_server = DC03.MyDomain.Pri
default_domain = MyDomain.Pri
}
[domain_realm]
.MyDomain.Pri = MyDomain.Pri
MyDomain.Pri = MyDomain.Pri


can I use CNAMEs rather than host FQDN, for example can I replace
kdc = DC01.MyDomain.Pri
with
kdc = DC-VIP.MyDomain.Pri

I would like to use a CNAME so I can change the backend server (AD Domain Controllers in this case), e.g. repoint the CNAME record at a later date without the necessity to update the Krb5.conf file, or the CNAME points to a load balancer

Any advice most welcome

Thanks everyone
CXMelga
 


I haven't tested it, but I would think adding this to your /etc/hosts file would make this work.
It will over-ride DNS and AD.
 
Thanks very much for talking the time to reply to my message.

The host with the Krb5.conf file on it will share the same DNS servers as Active Directory does. Therefore querying a records be it an A record or a CNAME record should work as normal DNS query.

I was mainly wondering if it is a good or bad idea (or against a particular RFC) using a CNAME rather than an A record in the Krb5.conf file. Theroretically as long as the standard DNS looks of CNAME/A records work should be OK I guess. I just wanted peoples option in case I am missing something?

Thanks all
CXMelga
 

Staff online


Latest posts

Top