Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
domain_realm, hostname to realm mapping, what programs/services is this necessary for?
82 views
Skip to first unread message
Christian, Mark
Dec 9, 2021, 1:54:26 AM12/9/21
to kerb...@mit.edu
I primarily use Kerberos with ssh gssapi-with-mic authentications, samba, and apache. I don't believe I need to populate the [domain_realm] section with hostname/domainname mappings to realms, even though the domainname for the hosts differs from the Kerberos realm; these Kerberized services still work. Or am I mistaken? default_realm is defined under [libdefaults], and dns_lookup_realm and dns_lookup_kdc are set to false. The krb5.conf man page mentions that this mapping is necessary for some programs or services. I'm wondering which services require this mapping?
Mark
Mark
Todd Heron
Dec 9, 2021, 9:10:54 AM12/9/21
to
On Thursday, December 9, 2021 at 1:54:26 AM UTC-5, Christian, Mark wrote:
> I primarily use Kerberos with ssh gssapi-with-mic authentications, samba, and apache. I don't believe I need to populate the [domain_realm] section with hostname/domainname mappings to realms, even though the domainname for the hosts differs from the Kerberos realm; these Kerberized services still work. Or am I mistaken? default_realm is defined under [libdefaults], and dns_lookup_realm and dns_lookup_kdc are set to false. The krb5.conf man page mentions that this mapping is necessary for some programs or services. I'm wondering which services require this mapping?
>
> Mark
There are many reasons [domain_realm] section exists. One overlooked reason is Kerberos understands lower-case only. Some environments might have the realm in upper case (some Microsoft Active Directory environments, for instance). Thus this section allows your local Kerberos client to find those upper-case realms. Kerberos requires DNS, so even though your dns_lookup_realm and dns_lookup_kdc are set to false, and [domain_realms} might be blank, DNS will still be used, it just means your local Kerberos client is not going to rely on what is defined in krb5.conf, rather it will use on the operating system's configured DNS servers. As far as the language on the krb5.conf man page mentioning that the mapping is necessary for some programs or services - don't know.
> I primarily use Kerberos with ssh gssapi-with-mic authentications, samba, and apache. I don't believe I need to populate the [domain_realm] section with hostname/domainname mappings to realms, even though the domainname for the hosts differs from the Kerberos realm; these Kerberized services still work. Or am I mistaken? default_realm is defined under [libdefaults], and dns_lookup_realm and dns_lookup_kdc are set to false. The krb5.conf man page mentions that this mapping is necessary for some programs or services. I'm wondering which services require this mapping?
>
> Mark
0 new messages