Kerberos / krb5.conf / CentOS7

GemNEye kerberos at gemneye.org
Wed Dec 11 21:05:18 EST 2019 

On 2019-12-11 18:52, Todd Grayson wrote:

> The domain_realm section of the krb5.conf is used to map DNS domain names to kerberos realms.  So lets say you had an active directory domain (dns domain and AD domain) of ad.example.com [1], its kerberos realm would be AD.EXAMPLE.COM [2], but lets say your environment had linux servers in dev.example.com [3], but you still wanted them to be recognized as systems that are have services that have kerberos principals in the AD.EXAMPLE.COM [2] kerberos realm.  You would use the [domain_realms] section of the krb5.conf to map this dns domain to the kerberos realm with the entry 
> 
> [domain_realm] 
> dev.example.com [3] = AD.EXAMPLE.COM [2] 
> 
> The need for this kind of configuration comes up in hadoop as the kerberos principals for the linux hosts will need to understand what realm and KDC they need to resolve to, as the default behavior of kerberos to resolve the lowercase dns name to the uppercase REALM name, but in the scenario where dns names are host.dev.example.com [4], and there is no kerberos realm of DEV.EXAMPLE.COM [5], for java applications things will fail with a GSS error of "host not found in the kerberos database" type of message, unless there is a [domain_realm] mapping like above in place.  
> 
> This is NOT cross realm trust when you use this kind of [domain_realm] mapping, that is a completely different thing and would involve multiple kerberos realms trusting each other for authenticating users and services (just in case you were going to ask).  
> -- 
> 
> Todd Grayson 
> 
> Principal Customer Operations Engineer 
> Security SME

Yep, that is exactly what I was going to ask.  Our current config has
entries for other AD DNS domains being mapped to the realm that is
configured in the [realms] stanza.  I was trying to figure out why that
was being done and what purpose it was serving.  I was not able to get
an answer from my co-workers which is why I posted here.  From your
description is sounds like this configuration is probably erroneous. 

Thank you for your response.  

Links:
------
[1] http://ad.example.com
[2] http://AD.EXAMPLE.COM
[3] http://dev.example.com
[4] http://host.dev.example.com
[5] http://DEV.EXAMPLE.COM

More information about the Kerberos mailing list