Support Questions
Find answers, ask questions, and share your expertise

KDC Cross Realm Trust Setup- krb5.conf config??

Contributor

We have 1 Active Directory KDC names AD.COM which is shared by all environments (active directory users obtain tickets from AD.COM) then we have separate CORP.COM kerberos KDC's (same realm name ) in each layer Dev,TST,AT,PROD.

Existing krb5.conf file config(part of it) in all enviroments is :

AD.COM = {
  kdc = ad-kdc.com
  admin_server = ad-kdc.com
 }

[domain_realm]
 .company.com = CORP.COM
 company.com = CORP.COM
 .ad.com = AD.COM
 ad.com = AD.COM

[capaths]
 AD.COM = {
  CORP.COM = .
 }

Now we want to

1)add DR.CORP.COM kerberos KDC for DR cluster and

2) also set up cross realm trust with PROD cluster to be able to use distcp .

What should be krb5.conf file to set up cross realm trust for DR cluster? Nodes in both DR and PROD cluster have same '.company.com' domain so we are not sure how to set up krb5.conf for cross realm trust?

We wanted to try below but not sure if clients in DR cluster can access PROD name node as domain name is same for all nodes in all clusters

---- FOR DR CLUSTER
[domain_realm] 
.company.com = DR.CORP.COM
company.com = DR.CORP.COM
.AD.com = AD.COM
AD.com = AD.COM

[capaths]
 AD.COM = {
  DR.CORP.COM = .
  CORP.COM = DR.CORP.COM
  }   
 
 
 
---- FOR PROD CLUSTER
[domain_realm] 
.company.com = .CORP.COM
company.com = .CORP.COM
.AD.com = AD.COM
AD.com = AD.COM


[capaths]
 AD.COM = {
  .CORP.COM = .
  DR.CORP.COM = .CORP.COM
  } 

Looking for some best practices or help with config above.

1 ACCEPTED SOLUTION

Accepted Solutions

Contributor

We explicitly listed out FQDN's of all hosts in both the clusters under [domain_realm] section of krb5.conf file. We have to update this file everytime we add node to our clusters and our clusters are currently less than <100 nodes and this solution is manageable but for large clusters this may be challenge.

View solution in original post

1 REPLY 1

Contributor

We explicitly listed out FQDN's of all hosts in both the clusters under [domain_realm] section of krb5.conf file. We have to update this file everytime we add node to our clusters and our clusters are currently less than <100 nodes and this solution is manageable but for large clusters this may be challenge.

View solution in original post