Kerberos / krb5.conf / CentOS7

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos / krb5.conf / CentOS7

GemNEye
I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers
(without using winbind).

I have had some success in getting everything to work, but after
reviewing different docs found on the web my understanding of all the
configurations is weak.

In the /etc/krb5.conf file, what is the purpose of the [domain_realm]
stanza?  I can see its usage for REALMS that have been defined in the
[realms] stanza, but what other realms and mapping would be configured
in the [domain_realm] stanza?  If I could understand how the mappings in
the [domain_realm] stanza are used along with an explanation (outside of
what is available on the MIT doc page), it would be extremely useful.

Plus, I am curious about the files that get created in this location:
/var/lib/sss/pubconf/krb5.include.d/ .  The files in this directory get
dynamically created, and when I look at some of the values that are
being configured it appears like values which have been configured in
/etc/krb5.conf get overwritten.  For example the value of
udp_preference_limit seems to get set in the dynamic files regardless of
how it is configured in /etc/krb5.conf.

Thank You.
GemNEye

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos / krb5.conf / CentOS7

Todd Grayson
The domain_realm section of the krb5.conf is used to map DNS domain names
to kerberos realms.  So lets say you had an active directory domain (dns
domain and AD domain) of ad.example.com, its kerberos realm would be
AD.EXAMPLE.COM, but lets say your environment had linux servers in
dev.example.com, but you still wanted them to be recognized as systems that
are have services that have kerberos principals in the AD.EXAMPLE.COM
kerberos realm.  You would use the [domain_realms] section of the krb5.conf
to map this dns domain to the kerberos realm with the entry

[domain_realm]
dev.example.com = AD.EXAMPLE.COM

The need for this kind of configuration comes up in hadoop as the kerberos
principals for the linux hosts will need to understand what realm and KDC
they need to resolve to, as the default behavior of kerberos to resolve the
lowercase dns name to the uppercase REALM name, but in the scenario where
dns names are host.dev.example.com, and there is no kerberos realm of
DEV.EXAMPLE.COM, for java applications things will fail with a GSS error of
"host not found in the kerberos database" type of message, unless there is
a [domain_realm] mapping like above in place.

This is NOT cross realm trust when you use this kind of [domain_realm]
mapping, that is a completely different thing and would involve multiple
kerberos realms trusting each other for authenticating users and services
(just in case you were going to ask).

On Wed, Dec 11, 2019 at 9:54 AM GemNEye <[hidden email]> wrote:

> I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers
> (without using winbind).
>
> I have had some success in getting everything to work, but after
> reviewing different docs found on the web my understanding of all the
> configurations is weak.
>
> In the /etc/krb5.conf file, what is the purpose of the [domain_realm]
> stanza?  I can see its usage for REALMS that have been defined in the
> [realms] stanza, but what other realms and mapping would be configured
> in the [domain_realm] stanza?  If I could understand how the mappings in
> the [domain_realm] stanza are used along with an explanation (outside of
> what is available on the MIT doc page), it would be extremely useful.
>
> Plus, I am curious about the files that get created in this location:
> /var/lib/sss/pubconf/krb5.include.d/ .  The files in this directory get
> dynamically created, and when I look at some of the values that are
> being configured it appears like values which have been configured in
> /etc/krb5.conf get overwritten.  For example the value of
> udp_preference_limit seems to get set in the dynamic files regardless of
> how it is configured in /etc/krb5.conf.
>
> Thank You.
> GemNEye
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
Todd Grayson
Principal Customer Operations Engineer
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos / krb5.conf / CentOS7

GemNEye
On 2019-12-11 18:52, Todd Grayson wrote:

> The domain_realm section of the krb5.conf is used to map DNS domain names to kerberos realms.  So lets say you had an active directory domain (dns domain and AD domain) of ad.example.com [1], its kerberos realm would be AD.EXAMPLE.COM [2], but lets say your environment had linux servers in dev.example.com [3], but you still wanted them to be recognized as systems that are have services that have kerberos principals in the AD.EXAMPLE.COM [2] kerberos realm.  You would use the [domain_realms] section of the krb5.conf to map this dns domain to the kerberos realm with the entry
>
> [domain_realm]
> dev.example.com [3] = AD.EXAMPLE.COM [2]
>
> The need for this kind of configuration comes up in hadoop as the kerberos principals for the linux hosts will need to understand what realm and KDC they need to resolve to, as the default behavior of kerberos to resolve the lowercase dns name to the uppercase REALM name, but in the scenario where dns names are host.dev.example.com [4], and there is no kerberos realm of DEV.EXAMPLE.COM [5], for java applications things will fail with a GSS error of "host not found in the kerberos database" type of message, unless there is a [domain_realm] mapping like above in place.  
>
> This is NOT cross realm trust when you use this kind of [domain_realm] mapping, that is a completely different thing and would involve multiple kerberos realms trusting each other for authenticating users and services (just in case you were going to ask).  
> --
>
> Todd Grayson
>
> Principal Customer Operations Engineer
> Security SME

Yep, that is exactly what I was going to ask.  Our current config has
entries for other AD DNS domains being mapped to the realm that is
configured in the [realms] stanza.  I was trying to figure out why that
was being done and what purpose it was serving.  I was not able to get
an answer from my co-workers which is why I posted here.  From your
description is sounds like this configuration is probably erroneous.

Thank you for your response.  

Links:
------
[1] http://ad.example.com
[2] http://AD.EXAMPLE.COM
[3] http://dev.example.com
[4] http://host.dev.example.com
[5] http://DEV.EXAMPLE.COM
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos / krb5.conf / CentOS7

Todd Grayson
Cross realm trust would involve setting up specific krbtgt principals that
represent the trusting realm and trusted realm, having proper realm entries
present as well as proper domain_realm declarations in place.  We cover the
cross realm trust concept and command line steps between MIT realms as well
as between and AD realm and MIT realm in our product documentation (google
"kerberos cross realm trust cloudera" to find it)  For AD to AD realm
trust, the domains & trusts management tool is used to configure this via a
GUI.

If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
REALM C trusts REALM B, but A and B do not trust each other) you will need
to read up on using CAPATH maps as well.

Glad to help.

On Wed, Dec 11, 2019 at 7:05 PM GemNEye <[hidden email]> wrote:

> On 2019-12-11 18:52, Todd Grayson wrote:
>
> The domain_realm section of the krb5.conf is used to map DNS domain names
> to kerberos realms.  So lets say you had an active directory domain (dns
> domain and AD domain) of ad.example.com, its kerberos realm would be
> AD.EXAMPLE.COM, but lets say your environment had linux servers in
> dev.example.com, but you still wanted them to be recognized as systems
> that are have services that have kerberos principals in the AD.EXAMPLE.COM
> kerberos realm.  You would use the [domain_realms] section of the krb5.conf
> to map this dns domain to the kerberos realm with the entry
>
> [domain_realm]
> dev.example.com = AD.EXAMPLE.COM
>
> The need for this kind of configuration comes up in hadoop as the kerberos
> principals for the linux hosts will need to understand what realm and KDC
> they need to resolve to, as the default behavior of kerberos to resolve the
> lowercase dns name to the uppercase REALM name, but in the scenario where
> dns names are host.dev.example.com, and there is no kerberos realm of
> DEV.EXAMPLE.COM, for java applications things will fail with a GSS error
> of "host not found in the kerberos database" type of message, unless there
> is a [domain_realm] mapping like above in place.
>
> This is NOT cross realm trust when you use this kind of [domain_realm]
> mapping, that is a completely different thing and would involve multiple
> kerberos realms trusting each other for authenticating users and services
> (just in case you were going to ask).
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
> Yep, that is exactly what I was going to ask.  Our current config has
> entries for other AD DNS domains being mapped to the realm that is
> configured in the [realms] stanza.  I was trying to figure out why that was
> being done and what purpose it was serving.  I was not able to get an
> answer from my co-workers which is why I posted here.  From your
> description is sounds like this configuration is probably erroneous.
>
> Thank you for your response.
>

--
Todd Grayson
Principal Customer Operations Engineer
Security SME

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

blocked.gif (164 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos / krb5.conf / CentOS7

Todd Grayson
oops mistyped on the CAPATH example, it SHOULD read:

(e.g. REALM A trusts REALM B, and REALM C trusts REALM B, but REALM A and
REALM C do not trust each other)

On Wed, Dec 11, 2019 at 7:16 PM Todd Grayson <[hidden email]> wrote:

> Cross realm trust would involve setting up specific krbtgt principals that
> represent the trusting realm and trusted realm, having proper realm entries
> present as well as proper domain_realm declarations in place.  We cover the
> cross realm trust concept and command line steps between MIT realms as well
> as between and AD realm and MIT realm in our product documentation (google
> "kerberos cross realm trust cloudera" to find it)  For AD to AD realm
> trust, the domains & trusts management tool is used to configure this via a
> GUI.
>
> If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
> REALM C trusts REALM B, but A and B do not trust each other) you will need
> to read up on using CAPATH maps as well.
>
> Glad to help.
>
> On Wed, Dec 11, 2019 at 7:05 PM GemNEye <[hidden email]> wrote:
>
>> On 2019-12-11 18:52, Todd Grayson wrote:
>>
>> The domain_realm section of the krb5.conf is used to map DNS domain names
>> to kerberos realms.  So lets say you had an active directory domain (dns
>> domain and AD domain) of ad.example.com, its kerberos realm would be
>> AD.EXAMPLE.COM, but lets say your environment had linux servers in
>> dev.example.com, but you still wanted them to be recognized as systems
>> that are have services that have kerberos principals in the
>> AD.EXAMPLE.COM kerberos realm.  You would use the [domain_realms]
>> section of the krb5.conf to map this dns domain to the kerberos realm with
>> the entry
>>
>> [domain_realm]
>> dev.example.com = AD.EXAMPLE.COM
>>
>> The need for this kind of configuration comes up in hadoop as the
>> kerberos principals for the linux hosts will need to understand what realm
>> and KDC they need to resolve to, as the default behavior of kerberos to
>> resolve the lowercase dns name to the uppercase REALM name, but in the
>> scenario where dns names are host.dev.example.com, and there is no
>> kerberos realm of DEV.EXAMPLE.COM, for java applications things will
>> fail with a GSS error of "host not found in the kerberos database" type of
>> message, unless there is a [domain_realm] mapping like above in place.
>>
>> This is NOT cross realm trust when you use this kind of [domain_realm]
>> mapping, that is a completely different thing and would involve multiple
>> kerberos realms trusting each other for authenticating users and services
>> (just in case you were going to ask).
>>
>>
>> --
>> Todd Grayson
>> Principal Customer Operations Engineer
>> Security SME
>>
>> Yep, that is exactly what I was going to ask.  Our current config has
>> entries for other AD DNS domains being mapped to the realm that is
>> configured in the [realms] stanza.  I was trying to figure out why that was
>> being done and what purpose it was serving.  I was not able to get an
>> answer from my co-workers which is why I posted here.  From your
>> description is sounds like this configuration is probably erroneous.
>>
>> Thank you for your response.
>>
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
>
--
Todd Grayson
Principal Customer Operations Engineer
Security SME

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

blocked.gif (164 bytes) Download Attachment