Bryan, * Bryan Montgomery (monty@xxxxxxxxxxx) wrote: > On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost <sfrost@xxxxxxxxxxx> wrote: > Can you elaborate on the DNS requirements? How would I check the reverse > DNS? I assume just pinging both server by hostname? Kerberos depends on reverse DNS. Reverse DNS is IP Address -> DNS Name (rather than forward/regular DNS, which is Name -> IP). Specifically, when a Kerberos client connects to a server, it will take the IP address of the host it connected to and try to find the name, it will then use *that* name to determine what ticket to request from the KDC. Realm: EXAMPLE.COM Client system: client.example.com Client IP 10.10.10.1 Server system: server.example.com Server IP: 10.10.10.20 Client connects to server and looks up "10.10.10.20" to find out the server's name is "server.example.com", it will then ask the KDC for a "postgres/server.example.com@xxxxxxxxxxx" ticket. This allows the server to have other aliases (eg: database.example.com) and for the client to use that alias to connect to, but then only need 1 principal (the server.example.com) in the KDC. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
