On 2019-12-11 18:52, Todd Grayson wrote: > The domain_realm section of the krb5.conf is used to map DNS domain names to > kerberos realms. So lets say you had an active directory domain (dns domain > and AD domain) of ad.example.com [1], its kerberos realm would be > AD.EXAMPLE.COM [2], but lets say your environment had linux servers in > dev.example.com [3], but you still wanted them to be recognized as systems > that are have services that have kerberos principals in the AD.EXAMPLE.COM > [2] kerberos realm. You would use the [domain_realms] section of the > krb5.conf to map this dns domain to the kerberos realm with the entry > > [domain_realm] > dev.example.com [3] = AD.EXAMPLE.COM [2] > > The need for this kind of configuration comes up in hadoop as the kerberos > principals for the linux hosts will need to understand what realm and KDC > they need to resolve to, as the default behavior of kerberos to resolve the > lowercase dns name to the uppercase REALM name, but in the scenario where dns > names are host.dev.example.com [4], and there is no kerberos realm of > DEV.EXAMPLE.COM [5], for java applications things will fail with a GSS error > of "host not found in the kerberos database" type of message, unless there is > a [domain_realm] mapping like above in place. > > This is NOT cross realm trust when you use this kind of [domain_realm] > mapping, that is a completely different thing and would involve multiple > kerberos realms trusting each other for authenticating users and services > (just in case you were going to ask). > -- > > Todd Grayson > > Principal Customer Operations Engineer > Security SME
Yep, that is exactly what I was going to ask. Our current config has entries for other AD DNS domains being mapped to the realm that is configured in the [realms] stanza. I was trying to figure out why that was being done and what purpose it was serving. I was not able to get an answer from my co-workers which is why I posted here. From your description is sounds like this configuration is probably erroneous. Thank you for your response. Links: ------ [1] http://ad.example.com [2] http://AD.EXAMPLE.COM [3] http://dev.example.com [4] http://host.dev.example.com [5] http://DEV.EXAMPLE.COM ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
