Kerberos / krb5.conf / CentOS7

Todd Grayson tgrayson at cloudera.com
Wed Dec 11 21:16:07 EST 2019


Cross realm trust would involve setting up specific krbtgt principals that
represent the trusting realm and trusted realm, having proper realm entries
present as well as proper domain_realm declarations in place.  We cover the
cross realm trust concept and command line steps between MIT realms as well
as between and AD realm and MIT realm in our product documentation (google
"kerberos cross realm trust cloudera" to find it)  For AD to AD realm
trust, the domains & trusts management tool is used to configure this via a
GUI.

If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
REALM C trusts REALM B, but A and B do not trust each other) you will need
to read up on using CAPATH maps as well.

Glad to help.

On Wed, Dec 11, 2019 at 7:05 PM GemNEye <kerberos at gemneye.org> wrote:

> On 2019-12-11 18:52, Todd Grayson wrote:
>
> The domain_realm section of the krb5.conf is used to map DNS domain names
> to kerberos realms.  So lets say you had an active directory domain (dns
> domain and AD domain) of ad.example.com, its kerberos realm would be
> AD.EXAMPLE.COM, but lets say your environment had linux servers in
> dev.example.com, but you still wanted them to be recognized as systems
> that are have services that have kerberos principals in the AD.EXAMPLE.COM
> kerberos realm.  You would use the [domain_realms] section of the krb5.conf
> to map this dns domain to the kerberos realm with the entry
>
> [domain_realm]
> dev.example.com = AD.EXAMPLE.COM
>
> The need for this kind of configuration comes up in hadoop as the kerberos
> principals for the linux hosts will need to understand what realm and KDC
> they need to resolve to, as the default behavior of kerberos to resolve the
> lowercase dns name to the uppercase REALM name, but in the scenario where
> dns names are host.dev.example.com, and there is no kerberos realm of
> DEV.EXAMPLE.COM, for java applications things will fail with a GSS error
> of "host not found in the kerberos database" type of message, unless there
> is a [domain_realm] mapping like above in place.
>
> This is NOT cross realm trust when you use this kind of [domain_realm]
> mapping, that is a completely different thing and would involve multiple
> kerberos realms trusting each other for authenticating users and services
> (just in case you were going to ask).
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
> Yep, that is exactly what I was going to ask.  Our current config has
> entries for other AD DNS domains being mapped to the realm that is
> configured in the [realms] stanza.  I was trying to figure out why that was
> being done and what purpose it was serving.  I was not able to get an
> answer from my co-workers which is why I posted here.  From your
> description is sounds like this configuration is probably erroneous.
>
> Thank you for your response.
>


-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20191211/da07967d/attachment-0001.gif


More information about the Kerberos mailing list