Local realm referral failed; trying fallback realm HADOOP.COM
Todd Grayson
tgrayson at cloudera.com
Sat Jun 17 15:40:18 EDT 2017
You need to make sure you have a [domain_realm] mapping for each DNS domain
name to REALM. When the dns to REALM maping is not present, kerberos falls
back to attempting to map the KERBEROS REALM in question to the lowercase
form of its name as a DNS domain. This is described in detail, here.
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#domain-realm
1) Cross realm ticket request
2) (see explanation & link above)
3) (see explanation above)
You also need to make sure that within your HDFS configuration you are
configuring any additional "Trusted Kerberos REALMS) so that the
auth_to_local rules are constructed properly.
On Sat, Jun 17, 2017 at 12:26 PM, pratyush parimal <
pratyush.parimal at gmail.com> wrote:
> Hi everyone,
>
> I'm trying to set up cross-realm authentication so that a user in realm
> EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths
> section to my krb5.conf for the same:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = examplekdc.example.com
> admin_server = examplekdc.example.com
> }
>
> HADOOP.COM = {
> kdc = hadoopkdc.hadoop.com
> admin_server = hadoopkdc.hadoop.com
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [capaths]
> HADOOP.COM = {
> EXAMPLE.COM = .
> }
>
>
> I've also added the required principal krbtgt/HADOOP.COM at EXAMPLE.COM to
> both the KDC's. So far, everything is working and my application is able to
> do what it needs to.
>
> What I'm concerned about is the following line in my trace log on
> EXAMPLE.COM:
>
> [158447] 1497720267.441664: TGS request result: -1765328377/Server
> myservice/hadoopkdc.hadoop.com at EXAMPLE.COM not found in Kerberos database
> [158447] 1497720267.441680: Local realm referral failed; trying fallback
> realm HADOOP.COM
>
> My questions are the following:
> (1) what exactly is this local realm referral? Is this kerberos jargon for
> cross realm requests?
> (2) why would the local realm referral fail ? How do I explicitly specify
> how I want the local realm referral to occur?
> (3) What is the meaning of a fallback realm? And how do I specify one?
>
> As you can see from my krb5.conf, I haven't specified the fallback realm or
> referrals explicitly, so I think kerberos is picking up default values for
> them. I want to know how I can specify them explicitly.
>
> Thanks in advance !
> Pratyush
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list