This site requires JavaScript to be enabled

Additional Kerberos Information for Off-Site UNIX/Linux SysAdmins

36 views

3.0 - Updated on 2021-04-13 by Brittany Bossarte

2.0 - Updated on 2021-02-24 by Carlos Salazar (Inactive)

1.0 - Authored on 2014-05-08 by Fang Wang

Additional Kerberos Information for Off-Site UNIX/Linux SysAdmins

 

Intended for:

Offsite UNIX/Linux system administrators who need to configure Kerberos on an offsite UNIX/Linux machine.

 

Scenario/Use case:

In this article, we discuss some miscellaneous issues that system administrators of offsite Kerberos installations should be aware of. Also, see Accessing Fermilab strengthened realm from offsite for more information.

 

Instructions:

Obtaining the krb5.conf File

We recommend that you use the most recent krb5.conf from the template web pages found at http://authentication.fnal.gov/krb5conf/. The krb5.conf template is updated from time to time. These updates are announced on the linux-users@fnal.gov mailing list.

When your Node is in a Different Domain

If your machine is part of a different domain other than .fnal.gov, you need to inform applications (e.g., ssh, FTP) that it is part of the FNAL.GOV strengthened realm. To do this:

In the [domain_realm] section of the /etc/krb5.conf file on the systems from which you'll be logging on, add lines of the form:

<domain> = FNAL.GOV

with the leading dot, e.g.,

.myuniv.edu = FNAL.GOV

In CentOS 8, this information can be added to the file /etc/krb5.conf.d/24-fermilab-domain_realm_defaults.conf

You only need to add the domain without the leading dot if the un-dotted form is the name of some host, which is sometimes the case. This tells applications that any node in this domain should be assumed to be in the FNAL.GOV realm. Otherwise the host's realm is taken to be the hostname's domain portion converted to upper case.

Since krb5.conf can be updated periodically, you can request that your domain be added to the template permanently by making a General Request using ServiceNow. Make sure you list the domains you want to be added to the [domain_realm] section of krb5.conf in your request.

Connecting from One Off-Site Domain to Another

This concerns connections between two Kerberized machines in the FNAL.GOV strengthened realm where neither is in the fnal.gov domain and they are in different domains from each other, e.g., mynode.myuniv.edu and yournode.youruniv.edu. In order for one of these Kerberized machines to connect directly to the other via telnet or FTP, the /etc/krb5.conf file on each must contain the [domain_realm] mapping for both off-site domains. This does not concern portal mode where the client machine is unstrengthened.

 

See Also:

 

Revised by Brittany Bossarte
Last modified 2021-04-13 16:12:40