Additional Kerberos Information for Off-Site UNIX/Linux SysAdmins
Intended for:
Offsite UNIX/Linux system administrators who need to configure Kerberos on an offsite UNIX/Linux machine.
Scenario/Use case:
In this article, we discuss some miscellaneous issues that system administrators of offsite Kerberos installations should be aware of. Also, see Accessing Fermilab strengthened realm from offsite for more information.
Instructions:
Obtaining the krb5.conf File
We recommend that you use the most recent krb5.conf from the template web pages found at http://authentication.fnal.gov/krb5conf/. The krb5.conf template is updated from time to time. These updates are announced on the linux-users@fnal.gov mailing list.
When your Node is in a Different Domain
If your machine is part of a different domain other than .fnal.gov, you need to inform applications (e.g., ssh, FTP) that it is part of the FNAL.GOV strengthened realm. To do this:
In the [domain_realm] section of the /etc/krb5.conf file on the systems from which you'll be logging on, add lines of the form:
<domain> = FNAL.GOV
with the leading dot, e.g.,
.myuniv.edu = FNAL.GOV
In CentOS 8, this information can be added to the file /etc/krb5.conf.d/24-fermilab-domain_realm_defaults.conf
You only need to add the domain without the leading dot if the un-dotted form is the name of some host, which is sometimes the case. This tells applications that any node in this domain should be assumed to be in the FNAL.GOV realm. Otherwise the host's realm is taken to be the hostname's domain portion converted to upper case.
Since krb5.conf can be updated periodically, you can request that your domain be added to the template permanently by making a General Request using ServiceNow. Make sure you list the domains you want to be added to the [domain_realm] section of krb5.conf in your request.
Connecting from One Off-Site Domain to Another
This concerns connections between two Kerberized machines in the FNAL.GOV strengthened realm where neither is in the fnal.gov domain and they are in different domains from each other, e.g., mynode.myuniv.edu and yournode.youruniv.edu. In order for one of these Kerberized machines to connect directly to the other via telnet or FTP, the /etc/krb5.conf file on each must contain the [domain_realm] mapping for both off-site domains. This does not concern portal mode where the client machine is unstrengthened.
See Also: