chucktryon
Dabbler
- Joined
- Sep 20, 2011
- Messages
- 26
We have a geographically dispersed organization. Each office his its own assigned 10.x subnet. We have one central AD Domain Controller in the international office, and a couple of the larger offices have secondary AD Domain Controllers joined to the central controller over a VPN. While the secondary domain controllers can each talk to the main controller, the firewalls are set up such that none of the individual subnets can talk to each other. One very odd thing is that the DNS service replicates to All the domain controllers, so we see DNS information for the entire organization.
When FreeNAS tried to join the domain, I'm guessing that it looks up the SRV records to find the actual KDC for the domain. Our problem is that, since we have multiple domain controllers, there are SEVERAL SRV records in DNS, each on its own subnet. In fact, only one is usable on our subnet, since we can't touch the other controllers.
My problem is that, for some unknown reason, THE INTERFACE ALWAYS PICKS THE WRONG KDC, and then puts that in the krb5.conf and smb.conf files. We are on a 10.4 subnet, but the one it ALWAYS picks is on the 10.88 subnet. The records all have identical weights, so it's not like the other KDC has a higher priority.
[root@us-freenas-dev] ~# host -t SRV _kerberos._tcp.global.local
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc2.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 usa-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 africa-dc.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 gb-dc1.global.local.
My question is, how do I get the interface to correctly pick the one and only KDC that it can actually talk to and put that one in the krb5.conf file?
When FreeNAS tried to join the domain, I'm guessing that it looks up the SRV records to find the actual KDC for the domain. Our problem is that, since we have multiple domain controllers, there are SEVERAL SRV records in DNS, each on its own subnet. In fact, only one is usable on our subnet, since we can't touch the other controllers.
My problem is that, for some unknown reason, THE INTERFACE ALWAYS PICKS THE WRONG KDC, and then puts that in the krb5.conf and smb.conf files. We are on a 10.4 subnet, but the one it ALWAYS picks is on the 10.88 subnet. The records all have identical weights, so it's not like the other KDC has a higher priority.
[root@us-freenas-dev] ~# host -t SRV _kerberos._tcp.global.local
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc2.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 usa-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 africa-dc.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 gb-dc1.global.local.
My question is, how do I get the interface to correctly pick the one and only KDC that it can actually talk to and put that one in the krb5.conf file?