Discussion:
specifying an alternate realm/krb5.conf configuration for kdc5.conf
Ben H
2015-04-24 19:44:12 UTC
Permalink
I have a client configured in a realm but for some testing purposes I
wanted to install a local KDC.

The problem is that when krb5kdc starts it appears it wants to pull some
information from the krb5.conf file.
At the very least, it is trying to find the default realm there, as it
gives error on starting using whatever realm name is listed in krb5.conf.
From a client perspective, if I want to switch to using a different
krb5.conf file, I just use:

export KRB5_CONFIG=/etc/alternate-krb5.conf

But the server will always try to use /etc/krb5.conf

I found one way around this on my centos system by editing
the /etc/sysconfig/krb5kdc with:
KRB5REALM=REALM.I.WANT.KDC.TO.USE

Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.

Is what I did enough, or is there other info in the krb5.conf file that the
kdc needs to run?
Is there a way to point it to an alternate config?

thanks
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Brandon Allbery
2015-04-24 19:55:38 UTC
Permalink
Post by Ben H
Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory (/var/krb5kdc is common).
--
brandon s allbery kf8nh sine nomine associates
***@gmail.com ***@sinenomine.net
unix openafs kerberos infrastructure xmonad http://sinenomine.net

________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ben H
2015-04-24 20:59:25 UTC
Permalink
Sorry, I did mean kdc.conf - and on my implementation it is
in /var/kerberos/krb5kdc.

I do understand:
kdc.conf = server config
krb5.conf = client config

But apparently when krb5kdc starts it also queries some data from
/etc/krb5.conf (the default realm at least).

I want it to look to a location other than /etc/krb5.conf for realm
information (or anything else it might need from that file).

thanks!
Post by Brandon Allbery
Post by Ben H
Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory (/var/krb5kdc is common).
--
brandon s allbery kf8nh sine nomine associates
unix openafs kerberos infrastructure xmonad http://sinenomine.net
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Todd Grayson
2015-04-24 21:07:28 UTC
Permalink
Are you trying to run multiple realms (and db's) on the same KDC?
Post by Ben H
Sorry, I did mean kdc.conf - and on my implementation it is
in /var/kerberos/krb5kdc.
kdc.conf = server config
krb5.conf = client config
But apparently when krb5kdc starts it also queries some data from
/etc/krb5.conf (the default realm at least).
I want it to look to a location other than /etc/krb5.conf for realm
information (or anything else it might need from that file).
thanks!
Post by Brandon Allbery
Post by Ben H
Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory (/var/krb5kdc is common).
--
brandon s allbery kf8nh sine nomine associates
unix openafs kerberos infrastructure xmonad http://sinenomine.net
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ben H
2015-04-24 22:13:00 UTC
Permalink
Not exactly, though the answer to that use case might be the same.

My use case is that my system was (is) a client of REALMA.COM.
Now, I want to run a KDC on this same system to serve out REALMB.COM

So, I can't change my /etc/krb5.conf file or else I would loose access to
REALMA.COM

I configure my kdc.conf file for REALMB, but when I start up krb5kdc I get:

Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM - see
log file for details

I can get it working by doing two things:
1) modify my krb5.conf file for REALMB instead - if I do this, then my
client functionality to REALMA breaks
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc

#2 is working for me, and is maybe the correct answer to this question.
I was just surprised that the krb5kdc service would look to read data from
krb5.conf instead of kdc.conf and, if it needs to do so, I would expect
there is a better way to tell it to use an alternate file.

I realize this isn't a common use scenario.
Post by Todd Grayson
Are you trying to run multiple realms (and db's) on the same KDC?
Post by Ben H
Sorry, I did mean kdc.conf - and on my implementation it is
in /var/kerberos/krb5kdc.
kdc.conf = server config
krb5.conf = client config
But apparently when krb5kdc starts it also queries some data from
/etc/krb5.conf (the default realm at least).
I want it to look to a location other than /etc/krb5.conf for realm
information (or anything else it might need from that file).
thanks!
Post by Brandon Allbery
Post by Ben H
Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory (/var/krb5kdc is common).
--
brandon s allbery kf8nh sine nomine associates
unix openafs kerberos infrastructure xmonad
http://sinenomine.net
Post by Brandon Allbery
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Todd Grayson
2015-04-24 22:33:59 UTC
Permalink
Interesting, yeah I think you self resolved with what you did with
KRB5REALM.
Post by Ben H
Not exactly, though the answer to that use case might be the same.
My use case is that my system was (is) a client of REALMA.COM.
Now, I want to run a KDC on this same system to serve out REALMB.COM
So, I can't change my /etc/krb5.conf file or else I would loose access to
REALMA.COM
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM -
see log file for details
1) modify my krb5.conf file for REALMB instead - if I do this, then my
client functionality to REALMA breaks
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc
#2 is working for me, and is maybe the correct answer to this question.
I was just surprised that the krb5kdc service would look to read data
from krb5.conf instead of kdc.conf and, if it needs to do so, I would
expect there is a better way to tell it to use an alternate file.
I realize this isn't a common use scenario.
Post by Todd Grayson
Are you trying to run multiple realms (and db's) on the same KDC?
Post by Ben H
Sorry, I did mean kdc.conf - and on my implementation it is
in /var/kerberos/krb5kdc.
kdc.conf = server config
krb5.conf = client config
But apparently when krb5kdc starts it also queries some data from
/etc/krb5.conf (the default realm at least).
I want it to look to a location other than /etc/krb5.conf for realm
information (or anything else it might need from that file).
thanks!
On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery <
Post by Brandon Allbery
Post by Ben H
Some searching I did indicated the possible existence of a "profile"
directive in kdc5.conf to point to a different krb5.conf, but that didn't
seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory (/var/krb5kdc is common).
--
brandon s allbery kf8nh sine nomine
associates
Post by Brandon Allbery
unix openafs kerberos infrastructure xmonad
http://sinenomine.net
Post by Brandon Allbery
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Customer Operations Engineering
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Tim Mooney
2015-04-24 22:27:31 UTC
Permalink
Post by Ben H
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc
#2 is working for me, and is maybe the correct answer to this question.
For RHEL-derived systems, that is the appropriate way to do what you're
trying to do.

Setting KRB5REALM=REALMB in /etc/sysconfig/krb5kdc causes the krb5kdc
init script to be passed the following additional arg on startup:

-r REALMB

If you look at the man page for krb5kdc, you'll see:

The -r realm option specifies the realm for which the server should
provide service; by default the realm returned by
krb5_default_local_realm(3) is used.

It's krb5_default_local_realm() that's reading krb5.conf.

Tim
--
Tim Mooney ***@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Greg Hudson
2015-04-24 22:45:30 UTC
Permalink
From a client perspective, if I want to switch to using a different
export KRB5_CONFIG=/etc/alternate-krb5.conf
But the server will always try to use /etc/krb5.conf
The expected behavior is:

* Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.

* KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
$KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
If both files exist, the contents are merged, with the values from
krb5.conf usually taking precedence (but we're not 100% consistent about
that).

krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
not need to point it at a config file giving a different default_realm
value.
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ben H
2015-04-24 23:16:21 UTC
Permalink
So it sounds like you're still saying that the contents of my krb5.conf
file will be read by krb5kdc and there is a good chance that something
specified in my krb5.conf (for my client implementation) may override or
merge with my server config *possibly* disrupt my KDC?

This is probably unlikely though since the setting normally set on the two
files (apart from default realm) tend to be either a client or server
setting, no?

I'm testing everything on one box right now, and when I want to use my
local KDC I do:

export KRB5_CONFIG=/etc/localmit_krb5.conf

and things seem to work. To switch back using my external KDC (AD), I
simply unset the variable.

Realizing this is an edge case, does this sound the best way, or would
there be a more supported way?
Post by Greg Hudson
From a client perspective, if I want to switch to using a different
export KRB5_CONFIG=/etc/alternate-krb5.conf
But the server will always try to use /etc/krb5.conf
* Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.
* KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
$KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
If both files exist, the contents are merged, with the values from
krb5.conf usually taking precedence (but we're not 100% consistent about
that).
krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
not need to point it at a config file giving a different default_realm
value.
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Todd Grayson
2015-04-24 23:30:18 UTC
Permalink
I'm trying to follow the client need for default_realm vs having additional
kerberos REALM entries present in your [realms] section of your krb5.conf.
If there was no default_realm defined, what does the client do
(see default_realm at
web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html ).

Are the clients keying of off default_realm because they are java based? Or
is there some form of forced short principal name configuration that is
causing this? If java; provide the krb5.conf you want java clients to use
in the [JAVA_HOME]/jre/lib/security path. The JGSS checks there first.
Post by Ben H
So it sounds like you're still saying that the contents of my krb5.conf
file will be read by krb5kdc and there is a good chance that something
specified in my krb5.conf (for my client implementation) may override or
merge with my server config *possibly* disrupt my KDC?
This is probably unlikely though since the setting normally set on the two
files (apart from default realm) tend to be either a client or server
setting, no?
I'm testing everything on one box right now, and when I want to use my
export KRB5_CONFIG=/etc/localmit_krb5.conf
and things seem to work. To switch back using my external KDC (AD), I
simply unset the variable.
Realizing this is an edge case, does this sound the best way, or would
there be a more supported way?
Post by Greg Hudson
From a client perspective, if I want to switch to using a different
export KRB5_CONFIG=/etc/alternate-krb5.conf
But the server will always try to use /etc/krb5.conf
* Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.
* KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
$KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
If both files exist, the contents are merged, with the values from
krb5.conf usually taking precedence (but we're not 100% consistent about
that).
krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
not need to point it at a config file giving a different default_realm
value.
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...