How to use Kerberos with external DNS servers

Question

Level 1

35 points

How to use Kerberos with external DNS servers

Hi,

I am trying to setup DNS so that I can create an OD master on the 10.6 server using Kerberos.
For somewhat obvious reasons I do not want to host the primary zone files on our server as it may not be as available as DNS servers from DNS services providers. I have a hostname like server.xxx.xxx and create an A record pointing to the machine which runs this OS X servers IP (which is of course a private IP). I tried to set up records in the external zone files pointing to a public IP that is routed in our firewall appliance to the private IP of the OS X server also, in case that was a better idea and stating the proper external NS servers, which are different for the forward and reverse records. Stating the private IP in the OS X server was not successful and nor was it stating the public IP. The hostname resolves fine when the proper external zone files are correct, but that does not help much in getting the setup working for OS X internal DNS server. Am I overlooking something?

This must be one of the most typical scenarios I have here, but the Apple documentation is pretty useless in getting somewhere here. Have read a lot everywhere, but it seems like most have problems with other aspects or special setups.

MBA, Mac OS X (10.6)

Posted on Sep 8, 2009 1:14 PM

Reply

Answer 1

Sep 10, 2009 11:37 PM in response to eyeless

The important thing is that when the server looks up its configured hostname it must get back its IP address (i.e. the one it knows for itself, i.e. its private address), and when it looks up its IP address, it must get back its hostname.

In practice, when you're setting the server up on a private address (i.e. behind NAT), you pretty much want to set up a private DNS "world" to match, and the easiest way to keep this straight is to use a DNS server on the private network. This is particularly true for the reverse (IP -> name) record, which (for a private address) cannot be properly delegated as part of the public DNS system.

So I'd recommend using the OS X server as a DNS server for the private network, creating an A record for server.xxx.xxx pointing to its private IP address (it'll automatically create the reverse record), and configuring it and the other computers on the private network to use it as their DNS server (i.e. in their Network preferences). If you want, you can also create a record for server.xxx.xxx in a public DNS server, pointing to the public address, so that hosts in the outside world can also find it by that name.

Message was edited by: Gordon Davisson

Reply

Answer 2

Sep 11, 2009 11:19 AM in response to Gordon Davisson

Yes, what you say is what assumed would be the case, bit after having set up this exactly as you (and I) say, the strange thing is that a lookup on the hostname and the IP does. Not resolve and a domain check suggests NX3 domain error messages as when one enter wrong things. Will call Applecare about it.

Reply

Answer 3

foilpan

Level 4

1,385 points

Sep 11, 2009 11:52 AM in response to eyelessjerry

run your internal dns on the os x server or elsewhere on the lan. make sure the hostname resolves both externally in "public" dns and your lan.

make sure to point your server to itself as first resolver if it's the dns server for the lan. do this in network preferences. also be sure to include forwarders in the dns config area of server admin.

once you do that, the server's hostname should resolve properly in both forward and reverse lookups. be sure the external forward and reverse lookups are also correct (pointing to your public ip).

Reply

Answer 4

eyeless Author

Level 1

35 points

Sep 19, 2009 1:27 PM in response to foilpan

Thanks for suggestions, but it surely does not work no matter what one writes and how one sets it up. I reinstalled 10.6 server after erasing the hard drive upon the suggestion of Applecare support (as I told them I was running VMware, something they did not know what it was - sure I know they would not know half of what I do to begin with, but ...). Anyway after setting up the server from scratch (surely a quite different experience from upgrading a server ...) changeip -checkhostname gave me thumbs up, but that did not exactly mean that OD thought the DNS was set up properly and thus I changed the DNS settings to what the Applecare guy had suggested (slight variation on the default setup), but after that it is is not possible to enter anything to make changeip be happy again.

Nor is it actually possible to write in exactly what was produced by the default installation in the DNS settings on the Admin server (you cannot write the reverse name for the zone with xx.xx.xx.xx.in-addr.arpa. - one can only have the name xx.xx.xx.in-addr.arpa. (for the reverse zone, and not for the specific server as stated in the default setup).

It is difficult to state different DNS servers for a public resolvable reverse zone (one has to delete and add the records again).

Only "server.local" is available at first setup, afterwards one can add server.xx.xx ... (I guess that is always the case).

Guess I have to reinstall the server again as there is simply no way to get the hostname to resolve properly once one have changed something from the default setting. Someone, somewhere must have succeeded with this, but it looks very unlikely to me ... .

Reply

Answer 5

eyeless Author

Level 1

35 points

Sep 19, 2009 1:44 PM in response to eyeless

The reason I mentioned: "Only "server.local" is available at first setup, afterwards one can add server.xx.xx ... (I guess that is always the case)," was that I wonder if perhaps there is a certain order in one must add this server in. Maybe I first have to add server.xx.xx and only then define the local dns server as server.xx.xx ? (Not that it should matter as I have done this too.) (Also I made sure to include the local server as the first resolver and "include forwarders in the dns config area of server admin" + made sure already earlier that public IP and hostname resolves in public properly and tried both with these records added in the DNS server settings and without).

Reply

Answer 6

eyeless Author

Level 1

35 points

Sep 21, 2009 3:00 AM in response to eyeless

Hi,

Just to let you know the issue was solved ------ by waiting! ..... ;-/. (Apparently I was too quick in testing things ... .)

Reply