Kerberos / krb5.conf / CentOS7
tgrayson at cloudera.com
Wed Dec 11 20:52:05 EST 2019
The domain_realm section of the krb5.conf is used to map DNS domain names
to kerberos realms. So lets say you had an active directory domain (dns
domain and AD domain) of ad.example.com, its kerberos realm would be
AD.EXAMPLE.COM, but lets say your environment had linux servers in
dev.example.com, but you still wanted them to be recognized as systems that
are have services that have kerberos principals in the AD.EXAMPLE.COM
kerberos realm. You would use the [domain_realms] section of the krb5.conf
to map this dns domain to the kerberos realm with the entry
dev.example.com = AD.EXAMPLE.COM
The need for this kind of configuration comes up in hadoop as the kerberos
principals for the linux hosts will need to understand what realm and KDC
they need to resolve to, as the default behavior of kerberos to resolve the
lowercase dns name to the uppercase REALM name, but in the scenario where
dns names are host.dev.example.com, and there is no kerberos realm of
DEV.EXAMPLE.COM, for java applications things will fail with a GSS error of
"host not found in the kerberos database" type of message, unless there is
a [domain_realm] mapping like above in place.
This is NOT cross realm trust when you use this kind of [domain_realm]
mapping, that is a completely different thing and would involve multiple
kerberos realms trusting each other for authenticating users and services
(just in case you were going to ask).
On Wed, Dec 11, 2019 at 9:54 AM GemNEye <kerberos at gemneye.org> wrote:
> I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers
> (without using winbind).
> I have had some success in getting everything to work, but after
> reviewing different docs found on the web my understanding of all the
> configurations is weak.
> In the /etc/krb5.conf file, what is the purpose of the [domain_realm]
> stanza? I can see its usage for REALMS that have been defined in the
> [realms] stanza, but what other realms and mapping would be configured
> in the [domain_realm] stanza? If I could understand how the mappings in
> the [domain_realm] stanza are used along with an explanation (outside of
> what is available on the MIT doc page), it would be extremely useful.
> Plus, I am curious about the files that get created in this location:
> /var/lib/sss/pubconf/krb5.include.d/ . The files in this directory get
> dynamically created, and when I look at some of the values that are
> being configured it appears like values which have been configured in
> /etc/krb5.conf get overwritten. For example the value of
> udp_preference_limit seems to get set in the dynamic files regardless of
> how it is configured in /etc/krb5.conf.
> Thank You.
> Kerberos mailing list Kerberos at mit.edu
Principal Customer Operations Engineer
More information about the Kerberos