kerberos  question

mokkan
mokkan used Ask the Experts™
on
I am new to kerberos and setting up kerberos servers.



What is the difference between realms and domain_realm?   Also, what is realm ?

[realms]
    MYSERVER.COM = {
        kdc = kdc.myserver.com:88
        admin_server = kdc.myserver.com:749
        default_domain = myserver.com
    }

[domain_realm]
    .myserver.com = MYSERVER.COM
     myserver.com = MYSERVER.COM


From the client,  how do I check which is one is the kerberos server?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Lead - Network Support
Commented:
Hi,

A Kerberos realm is the domain over which a Kerberos authentication server has the authority to authenticate a user, host or service.

When a client attempts to access a service running on a particular server, it knows the name of the service (host) and the name of the server, but because more than one realm may be deployed on your network, it must guess at the name of the realm in which the service resides. By default, the name of the realm is taken to be the DNS domain name of the server, upper-cased.

In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existant realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified in the domain_realm section of the client system's krb5.conf. For example:

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

The above configuration specifies two mappings. The first mapping specifies that any system in the "example.com" DNS domain belongs to the EXAMPLE.COM realm. The second specifies that a system with the exact name "example.com" is also in the realm. (The distinction between a domain and a specific host is marked by the presence or lack of an initial ".".) The mapping can also be stored directly in DNS.

Reference from :-https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-kerberos-client2.html

Also refer:-https://msdn.microsoft.com/en-us/library/bb742433.aspx

Thanks,

Author

Commented:
Than you very much.  Our Kerberos sever is in Linux,  how do we make AD users to authenticate through Kerberos server?

Author

Commented:
From the client,  how do we check the master Kerberos server?  Basically I would like to find who is the Authentication Server  ?
Abhi PappiTechnical Lead - Network Support
Commented:
Hi,

I have seen Linux servers join to windows domain, however in your case you may need to configure a cross-forest (realm) trust for Linux kerberos server to work with windows AD.

May be helpful. -- From Page 41:-  (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf)

From a Windows client, you can get the server details using the commands :-

nltest /dsgetdc:DOMAINNAME /kdc

Sorry, I dont have working experience with Linux. So hope some linux experts would be able to assist you with precise commands for this.

Thanks,
Abhi PappiTechnical Lead - Network Support

Commented:
Since I have spend time to answer the kerberos and realm things, I hope I have the privilege to get some point. Since noone else answered on this thread, its shame to keep no points assigned. So I am assigning some points to me.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial