Kerberos / krb5.conf / CentOS7

[Todd Grayson]

oops mistyped on the CAPATH example, it SHOULD read:

(e.g. REALM A trusts REALM B, and REALM C trusts REALM B, but REALM A and
REALM C do not trust each other)

On Wed, Dec 11, 2019 at 7:16 PM Todd Grayson <tgrayson at cloudera.com> wrote:

> Cross realm trust would involve setting up specific krbtgt principals that
> represent the trusting realm and trusted realm, having proper realm entries
> present as well as proper domain_realm declarations in place.  We cover the
> cross realm trust concept and command line steps between MIT realms as well
> as between and AD realm and MIT realm in our product documentation (google
> "kerberos cross realm trust cloudera" to find it)  For AD to AD realm
> trust, the domains & trusts management tool is used to configure this via a
> GUI.
>
> If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
> REALM C trusts REALM B, but A and B do not trust each other) you will need
> to read up on using CAPATH maps as well.
>
> Glad to help.
>
> On Wed, Dec 11, 2019 at 7:05 PM GemNEye <kerberos at gemneye.org> wrote:
>
>> On 2019-12-11 18:52, Todd Grayson wrote:
>>
>> The domain_realm section of the krb5.conf is used to map DNS domain names
>> to kerberos realms.  So lets say you had an active directory domain (dns
>> domain and AD domain) of ad.example.com, its kerberos realm would be
>> AD.EXAMPLE.COM, but lets say your environment had linux servers in
>> dev.example.com, but you still wanted them to be recognized as systems
>> that are have services that have kerberos principals in the
>> AD.EXAMPLE.COM kerberos realm.  You would use the [domain_realms]
>> section of the krb5.conf to map this dns domain to the kerberos realm with
>> the entry
>>
>> [domain_realm]
>> dev.example.com = AD.EXAMPLE.COM
>>
>> The need for this kind of configuration comes up in hadoop as the
>> kerberos principals for the linux hosts will need to understand what realm
>> and KDC they need to resolve to, as the default behavior of kerberos to
>> resolve the lowercase dns name to the uppercase REALM name, but in the
>> scenario where dns names are host.dev.example.com, and there is no
>> kerberos realm of DEV.EXAMPLE.COM, for java applications things will
>> fail with a GSS error of "host not found in the kerberos database" type of
>> message, unless there is a [domain_realm] mapping like above in place.
>>
>> This is NOT cross realm trust when you use this kind of [domain_realm]
>> mapping, that is a completely different thing and would involve multiple
>> kerberos realms trusting each other for authenticating users and services
>> (just in case you were going to ask).
>>
>>
>> --
>> Todd Grayson
>> Principal Customer Operations Engineer
>> Security SME
>>
>> Yep, that is exactly what I was going to ask.  Our current config has
>> entries for other AD DNS domains being mapped to the realm that is
>> configured in the [realms] stanza.  I was trying to figure out why that was
>> being done and what purpose it was serving.  I was not able to get an
>> answer from my co-workers which is why I posted here.  From your
>> description is sounds like this configuration is probably erroneous.
>>
>> Thank you for your response.
>>
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
>

-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20191211/9c8b1171/attachment.gif