Bryan,
* Bryan Montgomery (monty@english.net) wrote:
> On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost <sfrost@snowman.net> wrote:
> Can you elaborate on the DNS requirements? How would I check the reverse
> DNS? I assume just pinging both server by hostname?
Kerberos depends on reverse DNS. Reverse DNS is IP Address -> DNS Name
(rather than forward/regular DNS, which is Name -> IP). Specifically,
when a Kerberos client connects to a server, it will take the IP address
of the host it connected to and try to find the name, it will then use
*that* name to determine what ticket to request from the KDC.
Realm: EXAMPLE.COM
Client system: client.example.com
Client IP 10.10.10.1
Server system: server.example.com
Server IP: 10.10.10.20
Client connects to server and looks up "10.10.10.20" to find out the
server's name is "server.example.com", it will then ask the KDC for
a "postgres/server.example.com@EXAMPLE.COM" ticket. This allows the
server to have other aliases (eg: database.example.com) and for the
client to use that alias to connect to, but then only need 1 principal
(the server.example.com) in the KDC.
Thanks,
Stephen