Local realm referral failed; trying fallback realm HADOOP.COM

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Local realm referral failed; trying fallback realm HADOOP.COM

pratyush parimal
Hi everyone,

I'm trying to set up cross-realm authentication so that a user in realm
EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths
section to my krb5.conf for the same:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = examplekdc.example.com
  admin_server = examplekdc.example.com
 }

 HADOOP.COM = {
  kdc = hadoopkdc.hadoop.com
  admin_server = hadoopkdc.hadoop.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[capaths]
 HADOOP.COM = {
  EXAMPLE.COM = .
 }


I've also added the required principal krbtgt/[hidden email] to
both the KDC's. So far, everything is working and my application is able to
do what it needs to.

What I'm concerned about is the following line in my trace log on
EXAMPLE.COM:

[158447] 1497720267.441664: TGS request result: -1765328377/Server
myservice/[hidden email] not found in Kerberos database
[158447] 1497720267.441680: Local realm referral failed; trying fallback
realm HADOOP.COM

My questions are the following:
(1) what exactly is this local realm referral? Is this kerberos jargon for
cross realm requests?
(2) why would the local realm referral fail ? How do I explicitly specify
how I want the local realm referral to occur?
(3) What is the meaning of a fallback realm? And how do I specify one?

As you can see from my krb5.conf, I haven't specified the fallback realm or
referrals explicitly, so I think kerberos is picking up default values for
them. I want to know how I can specify them explicitly.

Thanks in advance !
Pratyush
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Local realm referral failed; trying fallback realm HADOOP.COM

Todd Grayson
You need to make sure you have a [domain_realm] mapping for each DNS domain
name to REALM.  When the dns to REALM maping is not present, kerberos falls
back to attempting to map the KERBEROS REALM in question to the lowercase
form of its name as a DNS domain.  This is described in detail, here.

https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#domain-realm

1) Cross realm ticket request
2) (see explanation & link above)
3) (see explanation above)

You also need to make sure that within your HDFS configuration you are
configuring any additional "Trusted Kerberos REALMS) so that the
auth_to_local rules are constructed properly.


On Sat, Jun 17, 2017 at 12:26 PM, pratyush parimal <
[hidden email]> wrote:

> Hi everyone,
>
> I'm trying to set up cross-realm authentication so that a user in realm
> EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths
> section to my krb5.conf for the same:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
>  EXAMPLE.COM = {
>   kdc = examplekdc.example.com
>   admin_server = examplekdc.example.com
>  }
>
>  HADOOP.COM = {
>   kdc = hadoopkdc.hadoop.com
>   admin_server = hadoopkdc.hadoop.com
>  }
>
> [domain_realm]
>  .example.com = EXAMPLE.COM
>  example.com = EXAMPLE.COM
>
> [capaths]
>  HADOOP.COM = {
>   EXAMPLE.COM = .
>  }
>
>
> I've also added the required principal krbtgt/[hidden email] to
> both the KDC's. So far, everything is working and my application is able to
> do what it needs to.
>
> What I'm concerned about is the following line in my trace log on
> EXAMPLE.COM:
>
> [158447] 1497720267.441664: TGS request result: -1765328377/Server
> myservice/[hidden email] not found in Kerberos database
> [158447] 1497720267.441680: Local realm referral failed; trying fallback
> realm HADOOP.COM
>
> My questions are the following:
> (1) what exactly is this local realm referral? Is this kerberos jargon for
> cross realm requests?
> (2) why would the local realm referral fail ? How do I explicitly specify
> how I want the local realm referral to occur?
> (3) What is the meaning of a fallback realm? And how do I specify one?
>
> As you can see from my krb5.conf, I haven't specified the fallback realm or
> referrals explicitly, so I think kerberos is picking up default values for
> them. I want to know how I can specify them explicitly.
>
> Thanks in advance !
> Pratyush
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...