Deploying radius page comment
King, Michael
MKing at bridgew.edu
Thu Oct 5 16:35:54 CEST 2006
Just reading thru the deployingradius.com pages....
On page:
http://deployingradius.com/documents/configuration/active_directory.html
You reference the krb5.conf file like this:
[realms]
...
realm.company.com = {
kdc = nt-server-hostname.company.com
}
...
However, someone on the list once pointed out that this is a more robust
approach (assuming your DNS infrastructure is solid). The objective is
to have the server lookup the realms via DNS as opposed to having a
statically linked server (that could be taken offline for maintenance)
# more krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = on
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
#
And like wise, the smb.conf file would changed as well.
# Change this for the workgroup/NT-domain name your Samba server will
part of
workgroup = EXAMPLE #Domain ShortName if different
realm = EXAMPLE.COM
#Server string is the equivalent of the NT Description field
server string = %h server (Samba %v)
security = ADS
encrypt passwords = true
password server = *
Granted, the above configs are for a single domain authentication
source. (utilizing the default realm, I believe, instead of a named
realm)
But the concept of DNS resolving the password-server should apply.
More information about the Freeradius-Users
mailing list