We have 1 Active Directory KDC names AD.COM which is shared by all environments (active directory users obtain tickets from AD.COM)
then we have separate CORP.COM kerberos KDC's (same realm name ) in each layer Dev,TST,AT,PROD.
Existing krb5.conf file config(part of it) in all enviroments is :
AD.COM = {
kdc = ad-kdc.com
admin_server = ad-kdc.com
}
[domain_realm]
.company.com = CORP.COM
company.com = CORP.COM
.ad.com = AD.COM
ad.com = AD.COM
[capaths]
AD.COM = {
CORP.COM = .
}
Now we want to
1)add DR.CORP.COM kerberos KDC for DR cluster and
2) also set up cross realm trust with PROD cluster to be able to use distcp .
What should be krb5.conf file to set up cross realm trust for DR cluster? Nodes in both DR and PROD cluster have same '.company.com' domain so we are not sure how to set up krb5.conf for cross realm trust?
We wanted to try below but not sure if clients in DR cluster can access PROD name node as domain name is same for all nodes in all clusters
---- FOR DR CLUSTER
[domain_realm]
.company.com = DR.CORP.COM
company.com = DR.CORP.COM
.AD.com = AD.COM
AD.com = AD.COM
[capaths]
AD.COM = {
DR.CORP.COM = .
CORP.COM = DR.CORP.COM
}
---- FOR PROD CLUSTER
[domain_realm]
.company.com = .CORP.COM
company.com = .CORP.COM
.AD.com = AD.COM
AD.com = AD.COM
[capaths]
AD.COM = {
.CORP.COM = .
DR.CORP.COM = .CORP.COM
}
Looking for some best practices or help with config above.
