Kerberos trust

Robert Wehn robert.wehn at rz.uni-augsburg.de
Thu Apr 14 09:42:03 EDT 2016 

Hi Mauro

Am 13.04.2016 um 22:22 schrieb Todd Grayson:
> netdom trust and ksetup examples that are correct for AD / MIT kerberos
> http://blog.godatadriven.com/cross-realm-trust-kerberos.html

This Blog describes the procedure quite well, here some additional Details:

1)
> [realms]
>       WIN_GDD.NL = {
>         kdc = host1.mywindomain.nl:88
>         admin_server = host1.mywindomain:749
>       }
>       GDD.NL = {
>         kdc = host1.mydomain.nl:88
>         admin_server = host1.mydomain.nl:749
>         default_domain = mydomain.nl
>       }
=> In this example I would not include names for the AD DC/KRB server
but use DNS to resilve them:
> [realms]
>       WIN_GDD.NL = {
>       }
In AD/Windows the clients the DC servers are never locally configured
but looked up in DNS for every operation (cached using ttl). So the AD
admins are often not aware they have to deploy changes in the
infrastructure to the clients.

2) The local settings for the client (knowing the KRB Realm for HADOOP,
host-to-real mappings) can be done via a GPO, so you don't have to
configure every client with
> ksetup /addkdc REALM [server]
> ksetup /addHostToRealmMap host REALM

The settings can be fount at
Policies/Administrative Templates/System/Kerberos
-> "Define interoperable Kerberos V5 realm settings"
    Value Name = REALM
    Value = <f>RealmFlags</f><k>list;of;KDCs</k>
-> "Define host name-to-Kerberos realm mappings"
    Value Name = REALM
    Value      = list;of;hdoop:hosts;to;map;to;the:realm

I never needed the realm flags, but one can took that up at
> https://technet.microsoft.com/en-us/library/hh240195.aspx?f=255&MSPPError=-2147217396

The Values can be empty if the DNS holds SRV records for the KDCs if the
Hadoop realm and TXT records for the Host-To-Realm settings, see e.g:
> http://web.mit.edu/kerberos/krb5-1.13/doc/admin/realm_config.html

The "Value Name" (REALM) will still be needed for the client to know
that there ist something to look for in DNS!

Robert.

-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list