Kerberos "overlay" in mixed OS environment

Todd Grayson tgrayson at cloudera.com
Mon Dec 5 16:42:41 EST 2016


You shape the world view (REALM, dns domain to realm mapping,
default_realm) in your krb5.conf on your systems participating.  You dont
need to have DNS srv records for everything you are doing (but they
help/can be a hinderance -e.g. performance)

Your one rule is you must use unique namespaces for these (e.g. you cant
have two competing KDC's with different DB's handling the same REALM)

But 2 different realms on the same subnets with common DNS but different
REALMS and KDC's are handled in the [domain_realm] section of the krb5.conf
and are discussed in detail here:

https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html

And pay attention to the relationship between fwd/reverse dns and kerberos
here

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/princ_dns.html

So for example a set of systems starting in a development realm migrating
to a production realm status... its a point of whatever the clients and
servers are configured to focus on with regard to realm and KDC... will be
whats used... so its not really a "dont do that".. but more of a "be
prepared to manage the complexity" if they are going to overlap.

At some point a dns subdomain goes a long way to mitigate the complexity of
having to manage lots and lots of stating host specific entries in a
[domain_realm] section of the krb5.conf

On Mon, Dec 5, 2016 at 11:15 AM, Nordgren, Bryce L -FS <bnordgren at fs.fed.us>
wrote:

> The answer is probably going to be "you can't do that", but I figured I'd
> ask anyway.
>
> Parameter #1: I have been allocated a handful of non-routable IP subnets
> on a university network where I am a guest.
> Parameter #2: Associated with the above is a single DNS subdomain.
> Parameter #3: The university retains control over DNS and DHCP.
> Parameter #4: The university set up the correct SRV records so that I can
> operate a KDC on my subdomain.
>
> My question is: Is there any way to operate two KDCs on the same DNS
> subdomain, serving complementary hosts?
>
> Reason #1: I want the "lightest footprint" possible, so as not to annoy
> our hosts.
> Reason #2: I want to take advantage of some of the centralized management
> niceties of AD and FreeIPA for Windows and Linux, respectively.
> Reason #3: I'm not sure I understand how to implement any kind of
> automatic Win/Linux segregation at the network level.
> Reason #4: Aside from the constraints Kerberos may (?) impose, I see no
> compelling reason to corral machines into subdomains by OS.
>
> Thanks for your patience.
> Bryce
>
>
>
>
> This electronic message contains information generated by the USDA solely
> for the intended recipients. Any unauthorized interception of this message
> or the use or disclosure of the information it contains may violate the law
> and subject the violator to civil or criminal penalties. If you believe you
> have received this message in error, please notify the sender and delete
> the email immediately.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME


More information about the Kerberos mailing list