|
Packit |
fd8b60 |
Realm configuration decisions
|
|
Packit |
fd8b60 |
=============================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Before installing Kerberos V5, it is necessary to consider the
|
|
Packit |
fd8b60 |
following issues:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* The name of your Kerberos realm (or the name of each realm, if you
|
|
Packit |
fd8b60 |
need more than one).
|
|
Packit |
fd8b60 |
* How you will assign your hostnames to Kerberos realms.
|
|
Packit |
fd8b60 |
* Which ports your KDC and and kadmind services will use, if they will
|
|
Packit |
fd8b60 |
not be using the default ports.
|
|
Packit |
fd8b60 |
* How many replica KDCs you need and where they should be located.
|
|
Packit |
fd8b60 |
* The hostnames of your master and replica KDCs.
|
|
Packit |
fd8b60 |
* How frequently you will propagate the database from the master KDC
|
|
Packit |
fd8b60 |
to the replica KDCs.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Realm name
|
|
Packit |
fd8b60 |
----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Although your Kerberos realm can be any ASCII string, convention is to
|
|
Packit |
fd8b60 |
make it the same as your domain name, in upper-case letters.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For example, hosts in the domain ``example.com`` would be in the
|
|
Packit |
fd8b60 |
Kerberos realm::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
EXAMPLE.COM
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If you need multiple Kerberos realms, MIT recommends that you use
|
|
Packit |
fd8b60 |
descriptive names which end with your domain name, such as::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
BOSTON.EXAMPLE.COM
|
|
Packit |
fd8b60 |
HOUSTON.EXAMPLE.COM
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _mapping_hostnames:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Mapping hostnames onto Kerberos realms
|
|
Packit |
fd8b60 |
--------------------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Mapping hostnames onto Kerberos realms is done in one of three ways.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The first mechanism works through a set of rules in the
|
|
Packit |
fd8b60 |
:ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify
|
|
Packit |
fd8b60 |
mappings for an entire domain or on a per-hostname basis. Typically
|
|
Packit |
fd8b60 |
you would do this by specifying the mappings for a given domain or
|
|
Packit |
fd8b60 |
subdomain and listing the exceptions.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The second mechanism is to use KDC host-based service referrals. With
|
|
Packit |
fd8b60 |
this method, the KDC's krb5.conf has a full [domain_realm] mapping for
|
|
Packit |
fd8b60 |
hosts, but the clients do not, or have mappings for only a subset of
|
|
Packit |
fd8b60 |
the hosts they might contact. When a client needs to contact a server
|
|
Packit |
fd8b60 |
host for which it has no mapping, it will ask the client realm's KDC
|
|
Packit |
fd8b60 |
for the service ticket, and will receive a referral to the appropriate
|
|
Packit |
fd8b60 |
service realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To use referrals, clients must be running MIT krb5 1.6 or later, and
|
|
Packit |
fd8b60 |
the KDC must be running MIT krb5 1.7 or later. The
|
|
Packit |
fd8b60 |
**host_based_services** and **no_host_referral** variables in the
|
|
Packit |
fd8b60 |
:ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to
|
|
Packit |
fd8b60 |
fine-tune referral behavior on the KDC.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It is also possible for clients to use DNS TXT records, if
|
|
Packit |
fd8b60 |
**dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups
|
|
Packit |
fd8b60 |
are disabled by default because DNS is an insecure protocol and security
|
|
Packit |
fd8b60 |
holes could result if DNS records are spoofed. If enabled, the client
|
|
Packit |
fd8b60 |
will try to look up a TXT record formed by prepending the prefix
|
|
Packit |
fd8b60 |
``_kerberos`` to the hostname in question. If that record is not
|
|
Packit |
fd8b60 |
found, the client will attempt a lookup by prepending ``_kerberos`` to the
|
|
Packit |
fd8b60 |
host's domain name, then its parent domain, up to the top-level domain.
|
|
Packit |
fd8b60 |
For the hostname ``boston.engineering.example.com``, the names looked up
|
|
Packit |
fd8b60 |
would be::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
_kerberos.boston.engineering.example.com
|
|
Packit |
fd8b60 |
_kerberos.engineering.example.com
|
|
Packit |
fd8b60 |
_kerberos.example.com
|
|
Packit |
fd8b60 |
_kerberos.com
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The value of the first TXT record found is taken as the realm name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Even if you do not choose to use this mechanism within your site,
|
|
Packit |
fd8b60 |
you may wish to set it up anyway, for use when interacting with other sites.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Ports for the KDC and admin services
|
|
Packit |
fd8b60 |
------------------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default ports used by Kerberos are port 88 for the KDC and port
|
|
Packit |
fd8b60 |
749 for the admin server. You can, however, choose to run on other
|
|
Packit |
fd8b60 |
ports, as long as they are specified in each host's
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)` files or in DNS SRV records, and the
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of
|
|
Packit |
fd8b60 |
port numbers used by the Kerberos V5 programs, refer to the
|
|
Packit |
fd8b60 |
:ref:`conf_firewall`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Replica KDCs
|
|
Packit |
fd8b60 |
------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Replica KDCs provide an additional source of Kerberos ticket-granting
|
|
Packit |
fd8b60 |
services in the event of inaccessibility of the master KDC. The
|
|
Packit |
fd8b60 |
number of replica KDCs you need and the decision of where to place them,
|
|
Packit |
fd8b60 |
both physically and logically, depends on the specifics of your
|
|
Packit |
fd8b60 |
network.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Kerberos authentication requires that each client be able to contact a
|
|
Packit |
fd8b60 |
KDC. Therefore, you need to anticipate any likely reason a KDC might
|
|
Packit |
fd8b60 |
be unavailable and have a replica KDC to take up the slack.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Some considerations include:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Have at least one replica KDC as a backup, for when the master KDC
|
|
Packit |
fd8b60 |
is down, is being upgraded, or is otherwise unavailable.
|
|
Packit |
fd8b60 |
* If your network is split such that a network outage is likely to
|
|
Packit |
fd8b60 |
cause a network partition (some segment or segments of the network
|
|
Packit |
fd8b60 |
to become cut off or isolated from other segments), have a replica
|
|
Packit |
fd8b60 |
KDC accessible to each segment.
|
|
Packit |
fd8b60 |
* If possible, have at least one replica KDC in a different building
|
|
Packit |
fd8b60 |
from the master, in case of power outages, fires, or other localized
|
|
Packit |
fd8b60 |
disasters.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdc_hostnames:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Hostnames for KDCs
|
|
Packit |
fd8b60 |
------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
MIT recommends that your KDCs have a predefined set of CNAME records
|
|
Packit |
fd8b60 |
(DNS hostname aliases), such as ``kerberos`` for the master KDC and
|
|
Packit |
fd8b60 |
``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way,
|
|
Packit |
fd8b60 |
if you need to swap a machine, you only need to change a DNS entry,
|
|
Packit |
fd8b60 |
rather than having to change hostnames.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS
|
|
Packit |
fd8b60 |
using SRV records (:rfc:`2782`), assuming the Kerberos realm name is
|
|
Packit |
fd8b60 |
also a DNS domain name. These records indicate the hostname and port
|
|
Packit |
fd8b60 |
number to contact for that service, optionally with weighting and
|
|
Packit |
fd8b60 |
prioritization. The domain name used in the SRV record name is the
|
|
Packit |
fd8b60 |
realm name. Several different Kerberos-related service names are
|
|
Packit |
fd8b60 |
used:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
_kerberos._udp
|
|
Packit |
fd8b60 |
This is for contacting any KDC by UDP. This entry will be used
|
|
Packit |
fd8b60 |
the most often. Normally you should list port 88 on each of your
|
|
Packit |
fd8b60 |
KDCs.
|
|
Packit |
fd8b60 |
_kerberos._tcp
|
|
Packit |
fd8b60 |
This is for contacting any KDC by TCP. The MIT KDC by default
|
|
Packit |
fd8b60 |
will not listen on any TCP ports, so unless you've changed the
|
|
Packit |
fd8b60 |
configuration or you're running another KDC implementation, you
|
|
Packit |
fd8b60 |
should leave this unspecified. If you do enable TCP support,
|
|
Packit |
fd8b60 |
normally you should use port 88.
|
|
Packit |
fd8b60 |
_kerberos-master._udp
|
|
Packit |
fd8b60 |
This entry should refer to those KDCs, if any, that will
|
|
Packit |
fd8b60 |
immediately see password changes to the Kerberos database. If a
|
|
Packit |
fd8b60 |
user is logging in and the password appears to be incorrect, the
|
|
Packit |
fd8b60 |
client will retry with the master KDC before failing with an
|
|
Packit |
fd8b60 |
"incorrect password" error given.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If you have only one KDC, or for whatever reason there is no
|
|
Packit |
fd8b60 |
accessible KDC that would get database changes faster than the
|
|
Packit |
fd8b60 |
others, you do not need to define this entry.
|
|
Packit |
fd8b60 |
_kerberos-adm._tcp
|
|
Packit |
fd8b60 |
This should list port 749 on your master KDC. Support for it is
|
|
Packit |
fd8b60 |
not complete at this time, but it will eventually be used by the
|
|
Packit |
fd8b60 |
:ref:`kadmin(1)` program and related utilities. For now, you will
|
|
Packit |
fd8b60 |
also need the **admin_server** variable in :ref:`krb5.conf(5)`.
|
|
Packit |
fd8b60 |
_kpasswd._udp
|
|
Packit |
fd8b60 |
This should list port 464 on your master KDC. It is used when a
|
|
Packit |
fd8b60 |
user changes her password. If this entry is not defined but a
|
|
Packit |
fd8b60 |
_kerberos-adm._tcp entry is defined, the client will use the
|
|
Packit |
fd8b60 |
_kerberos-adm._tcp entry with the port number changed to 749.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The DNS SRV specification requires that the hostnames listed be the
|
|
Packit |
fd8b60 |
canonical names, not aliases. So, for example, you might include the
|
|
Packit |
fd8b60 |
following records in your (BIND-style) zone file::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
$ORIGIN foobar.com.
|
|
Packit |
fd8b60 |
_kerberos TXT "FOOBAR.COM"
|
|
Packit |
fd8b60 |
kerberos CNAME daisy
|
|
Packit |
fd8b60 |
kerberos-1 CNAME use-the-force-luke
|
|
Packit |
fd8b60 |
kerberos-2 CNAME bunny-rabbit
|
|
Packit |
fd8b60 |
_kerberos._udp SRV 0 0 88 daisy
|
|
Packit |
fd8b60 |
SRV 0 0 88 use-the-force-luke
|
|
Packit |
fd8b60 |
SRV 0 0 88 bunny-rabbit
|
|
Packit |
fd8b60 |
_kerberos-master._udp SRV 0 0 88 daisy
|
|
Packit |
fd8b60 |
_kerberos-adm._tcp SRV 0 0 749 daisy
|
|
Packit |
fd8b60 |
_kpasswd._udp SRV 0 0 464 daisy
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Clients can also be configured with the explicit location of services
|
|
Packit |
fd8b60 |
using the **kdc**, **master_kdc**, **admin_server**, and
|
|
Packit |
fd8b60 |
**kpasswd_server** variables in the :ref:`realms` section of
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`. Even if some clients will be configured with
|
|
Packit |
fd8b60 |
explicit server locations, providing SRV records will still benefit
|
|
Packit |
fd8b60 |
unconfigured clients, and be useful for other sites.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdc_discovery:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
KDC Discovery
|
|
Packit |
fd8b60 |
-------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI
|
|
Packit |
fd8b60 |
records (:rfc:`7553`). Limitations with the SRV record format may
|
|
Packit |
fd8b60 |
result in extra DNS queries in situations where a client must failover
|
|
Packit |
fd8b60 |
to other transport types, or find a master server. The URI record can
|
|
Packit |
fd8b60 |
convey more information about a realm's KDCs with a single query.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The client performs a query for the following URI records:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* ``_kerberos.REALM`` for finding KDCs.
|
|
Packit |
fd8b60 |
* ``_kerberos-adm.REALM`` for finding kadmin services.
|
|
Packit |
fd8b60 |
* ``_kpasswd.REALM`` for finding password services.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The URI record includes a priority, weight, and a URI string that
|
|
Packit |
fd8b60 |
consists of case-insensitive colon separated fields, in the form
|
|
Packit |
fd8b60 |
``scheme:[flags]:transport:residual``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* *scheme* defines the registered URI type. It should always be
|
|
Packit |
fd8b60 |
``krb5srv``.
|
|
Packit |
fd8b60 |
* *flags* contains zero or more flag characters. Currently the only
|
|
Packit |
fd8b60 |
valid flag is ``m``, which indicates that the record is for a master
|
|
Packit |
fd8b60 |
server.
|
|
Packit |
fd8b60 |
* *transport* defines the transport type of the residual URL or
|
|
Packit |
fd8b60 |
address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the
|
|
Packit |
fd8b60 |
MS-KKDCP type.
|
|
Packit |
fd8b60 |
* *residual* contains the hostname, IP address, or URL to be
|
|
Packit |
fd8b60 |
contacted using the specified transport, with an optional port
|
|
Packit |
fd8b60 |
extension. The MS-KKDCP transport type uses a HTTPS URL, and can
|
|
Packit |
fd8b60 |
include a port and/or path extension.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An example of URI records in a zone file::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
_kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com
|
|
Packit |
fd8b60 |
URI 20 1 krb5srv:m:udp:kdc2.example.com:89
|
|
Packit |
fd8b60 |
URI 40 1 krb5srv::udp:10.10.0.23
|
|
Packit |
fd8b60 |
URI 30 1 krb5srv::kkdcp:https://proxy:89/auth
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
URI lookups are enabled by default, and can be disabled by setting
|
|
Packit |
fd8b60 |
**dns_uri_lookup** in the :ref:`libdefaults` section of
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)` to False. When enabled, URI lookups take
|
|
Packit |
fd8b60 |
precedence over SRV lookups, falling back to SRV lookups if no URI
|
|
Packit |
fd8b60 |
records are found.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _db_prop:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Database propagation
|
|
Packit |
fd8b60 |
--------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Kerberos database resides on the master KDC, and must be
|
|
Packit |
fd8b60 |
propagated regularly (usually by a cron job) to the replica KDCs. In
|
|
Packit |
fd8b60 |
deciding how frequently the propagation should happen, you will need
|
|
Packit |
fd8b60 |
to balance the amount of time the propagation takes against the
|
|
Packit |
fd8b60 |
maximum reasonable amount of time a user should have to wait for a
|
|
Packit |
fd8b60 |
password change to take effect.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the propagation time is longer than this maximum reasonable time
|
|
Packit |
fd8b60 |
(e.g., you have a particularly large database, you have a lot of
|
|
Packit |
fd8b60 |
replicas, or you experience frequent network delays), you may wish to
|
|
Packit |
fd8b60 |
cut down on your propagation delay by performing the propagation in
|
|
Packit |
fd8b60 |
parallel. To do this, have the master KDC propagate the database to
|
|
Packit |
fd8b60 |
one set of replicas, and then have each of these replicas propagate
|
|
Packit |
fd8b60 |
the database to additional replicas.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
See also :ref:`incr_db_prop`
|