Deploying radius page comment

King, Michael MKing at bridgew.edu
Thu Oct 5 16:35:54 CEST 2006


Just reading thru the deployingradius.com pages....

On page:
http://deployingradius.com/documents/configuration/active_directory.html

You reference the krb5.conf file like this:

[realms]
...
realm.company.com = {
      kdc = nt-server-hostname.company.com
}
...


However, someone on the list once pointed out that this is a more robust
approach (assuming your DNS infrastructure is solid).  The objective is
to have the server lookup the realms via DNS as opposed to having a
statically linked server (that could be taken offline for maintenance)

# more krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = on

[domain_realm]

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
#

And like wise, the smb.conf file would changed as well.

# Change this for the workgroup/NT-domain name your Samba server will
part of
        workgroup = EXAMPLE   #Domain ShortName if different
        realm = EXAMPLE.COM
#Server string is the equivalent of the NT Description field
        server string = %h server (Samba %v)
security = ADS
encrypt passwords = true
password server = *

Granted, the above configs are for a single domain authentication
source. (utilizing the default realm, I believe, instead of a named
realm)
But the concept of DNS resolving the password-server should apply.




More information about the Freeradius-Users mailing list