Adding a linux server to a windows domain

I already described in an earlier post how I added a linux server to a windows domain. Recently I added a new server to my domain, to replace my existing domain controller. As a consequence I had to update the krb5.conf file to point to the newly added server. Actually this hasn’t been to the first change in domain controllers, and usually users point out, that they cannot authenticate to subversion or apache based applications (which use kerberos authentication as well). OK, so I missed to update the krb5.conf again.

So there must be a more convenient way to configure kerberos. If only I had some way to pull the information of the current KDC from the domain-data. But wait – there is DNS. There are a couple of service-entries in DNS to point to all available kerberos servers in the domain! That sounds promising.

So I changed my krb5.conf file and added

dns_lookup_realm = yes
dns_lookup_kdc = yes

to the libdefaults section. Then I removed the realms and domain_realms section. Now all information about available KDC servers is directly pulled from DNS – sweet.