The domain_realm section of the krb5.conf is used to map DNS domain names to kerberos realms. So lets say you had an active directory domain (dns domain and AD domain) of ad.example.com, its kerberos realm would be AD.EXAMPLE.COM, but lets say your environment had linux servers in dev.example.com, but you still wanted them to be recognized as systems that are have services that have kerberos principals in the AD.EXAMPLE.COM kerberos realm. You would use the [domain_realms] section of the krb5.conf to map this dns domain to the kerberos realm with the entry
[domain_realm] dev.example.com = AD.EXAMPLE.COM The need for this kind of configuration comes up in hadoop as the kerberos principals for the linux hosts will need to understand what realm and KDC they need to resolve to, as the default behavior of kerberos to resolve the lowercase dns name to the uppercase REALM name, but in the scenario where dns names are host.dev.example.com, and there is no kerberos realm of DEV.EXAMPLE.COM, for java applications things will fail with a GSS error of "host not found in the kerberos database" type of message, unless there is a [domain_realm] mapping like above in place. This is NOT cross realm trust when you use this kind of [domain_realm] mapping, that is a completely different thing and would involve multiple kerberos realms trusting each other for authenticating users and services (just in case you were going to ask). On Wed, Dec 11, 2019 at 9:54 AM GemNEye <kerbe...@gemneye.org> wrote: > I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers > (without using winbind). > > I have had some success in getting everything to work, but after > reviewing different docs found on the web my understanding of all the > configurations is weak. > > In the /etc/krb5.conf file, what is the purpose of the [domain_realm] > stanza? I can see its usage for REALMS that have been defined in the > [realms] stanza, but what other realms and mapping would be configured > in the [domain_realm] stanza? If I could understand how the mappings in > the [domain_realm] stanza are used along with an explanation (outside of > what is available on the MIT doc page), it would be extremely useful. > > Plus, I am curious about the files that get created in this location: > /var/lib/sss/pubconf/krb5.include.d/ . The files in this directory get > dynamically created, and when I look at some of the values that are > being configured it appears like values which have been configured in > /etc/krb5.conf get overwritten. For example the value of > udp_preference_limit seems to get set in the dynamic files regardless of > how it is configured in /etc/krb5.conf. > > Thank You. > GemNEye > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Principal Customer Operations Engineer Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
