Kerberos ini file modification

BMitchel · 05-27-2010

I have a user that cannot connect to the KE Server because they're using a different Domain Controller (DC) server that is not defined in the krb5.ini file. How do I update the file? add a new [realm] statement in addition to the one already there? What's the syntax? Here's what it looks like now...

[realms]

XX.YYY.COM = {
kdc = DCSERVER1.XX.YYY.com
admin_server = DCSERVER1.XX.YYY.com
default_domain = XX.YYY.COM
}

Do I just add another Domain Controller server here? (e.g.)

XX.YYY.COM = {
kdc = DCSERVER2.XX.YYY.com
admin_server = DCSERVER2.XX.YYY.com
default_domain = XX.YYY.COM
}

And most importantly, what happens if there are many DC's? Do I need to add them all?

There's got to be a better method, no?

Matt Michael · 05-10-2010

Hi Bryan,

Here is the sample krb5.ini (from our "Integrating KE with AD using Kerberos" document):

[libdefaults]

default_realm=INTERNAL.EXAMPLE.COM

default_tkt_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1

default_tgs_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1

permitted_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1

dns_lookup_kdc=true

noaddress=false

kdc_req_checksum_type=2

ccache_type=2

ticket_lifetime=600

[realms]

INTERNAL.EXAMPLE.COM = {

kdc = AD01.INTERNAL.EXAMPLE.COM

admin_server = AD01.INTERNAL.EXAMPLE.COM

default_domain = INTERNAL.EXAMPLE.COM

}

CHILD1.INTERNAL.EXAMPLE.COM = {

kdc = PROLDAP01.CHILD1.INTERNAL.EXAMPLE.COM

admin_server = PROLDAP01.CHILD1.INTERNAL.EXAMPLE.COM

default_domain = CHILD1.INTERNAL.EXAMPLE.COM

}

[domain_realm]

.internal.example.com = INTERNAL.EXAMPLE.COM

Internal.example.com = INTERNAL.EXAMPLE.COM

.child1.internal.example.com = CHILD1.INTERNAL.EXAMPLE.COM

child1.internal.example.com = CHILD1.INTERNAL.EXAMPLE.COM

[appdefaults]

Autologin = true

Forward = true

Forwardable = true

Encrypt = true

Here you can see how the child, or additional domain should be specified. When users login via the non-default domain they will need to include their full domain name when logging in, so:

user@CHILD.INTERNAL.EXAMPLE.COM // Password

Thanks,

Matt

BMitchel · 05-27-2010

Hi Matt,

How r u - hope all's well & thx 4 your response.

I have seen that info and what I've gathered is that there are multiple "children" servers per domain. Correct me if I'm wrong, but although there's only one default domain, there can be many children (or logon servers) per domain - the question is "Does each one of the CHILD domain servers need to be included in the krb5 ini file to ensure that all possible KES user logins are successful?" BTW: That is my assumption and was hoping there's a better method.

We have lots of domain servers...and it'd be a nightmare to manually manage from a 'krb5.ini' file.

Matt Michael · 05-10-2010

Hey Bryan,

Well, the child portion is for child, or sub-domains. So let's say your default realm is 'JNJ.com'. Next, the users are subdivided on child realms. So for instance you would be in NorthAmerica.JNJ.com. Let's say there is a user based in Africa, thus they would get placed in the child realm of Africa.JNJ.com.

You need to represent at least one Domain Controller for each of these sub, or child, realms in the [realms] and [domain_realms] sections.

Regards,

Matt