Kerberos "overlay" in mixed OS environment

Robert Wehn robert.wehn at rz.uni-augsburg.de
Wed Dec 7 11:56:02 EST 2016 

Hi Brice,

What you plan works if one ofe the REALMs is a non Windows/AD Realm.
For AD at least the DCs (aka Kerberos Servers) need to have the DNS fqdn
match to the REALM they serve.

dc1.mydomain.com should server the krb realm MYDOMAIN.COM and the ldap
namespace dc=mydomain,dc=de.

The (Windows) AD Clients can have any fqdn you want
(client1.sub.mydomain.com or clienet2.otherdomain.com), this can be
configured by GPO.

If you want to run a different, non-Windows, REALM in the same DNS
domain that works (we do that here in the University of Augsburg), but
automatic lookup which computer/server belongs to which realm needs a
tricky set of TXT records.

Actually our TXT records point to the AD Realm as default for the domain
(*.mydomain.com => MYDOMAIN.COM) and a handful of kerberized servers
point to the MIT Kerberos Realm (nfs-server-1.mydomain.com =>
OTHERREALM.COM). Linux Clients habe keytabs from OTHERREALM.COM but have
no Kerberizes services they expose, so the overhead is ok in this
configuration. But our DNS also has control over *.otherrealm.com, which
is needed for the SRV records to point to the MIT KDCs.

So as Simo says: Works, but is tricky to handle without a sub/second domain.

If your second REALM is only for a handful of test computers it works
with local configuration, but then your test scenario is not like
production, which is not a good test.

Regards,
Robert.

Am 05.12.2016 um 19:15 schrieb Nordgren, Bryce:
>>> The answer is probably going to be "you can't do that", but I figured I'd
>>> ask anyway.
>>>
>>> Parameter #1: I have been allocated a handful of non-routable IP subnets
>>> on a university network where I am a guest.
>>> Parameter #2: Associated with the above is a single DNS subdomain.
>>> Parameter #3: The university retains control over DNS and DHCP.
>>> Parameter #4: The university set up the correct SRV records so that I can
>>> operate a KDC on my subdomain.
>>>
>>> My question is: Is there any way to operate two KDCs on the same DNS
>>> subdomain, serving complementary hosts?
>>>
>>> Reason #1: I want the "lightest footprint" possible, so as not to annoy
>>> our hosts.
>>> Reason #2: I want to take advantage of some of the centralized management
>>> niceties of AD and FreeIPA for Windows and Linux, respectively.
>>> Reason #3: I'm not sure I understand how to implement any kind of
>>> automatic Win/Linux segregation at the network level.
>>> Reason #4: Aside from the constraints Kerberos may (?) impose, I see no
>>> compelling reason to corral machines into subdomains by OS.
>>>
>>> Thanks for your patience.
>>> Bryce


-- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list