Defining realms in the DNS database

You can define realms in the DNS database to resolve host names.

Network authentication service allows you to use the DNS server to resolve host names. To do this, you need to add a server (SRV) record and text (TXT) record for each key distribution center in the realm. The Kerberos protocol searches for an SRV record using the realm name as the DNS search name.

To define realms with DNS...

1. Set the configuration file to use DNS.

2. Add SRV records to your DNS server for each KDC server in the realm. The Kerberos run time searches for an SRV record by using the realm name as the search name. Note that DNS searches are not case-sensitive, so you cannot have two different realms whose names differ only in their case. The general form of the Kerberos SRV record is as follows:

   service.protocol.realm TTL class SRV priority weight port target

   The _kerberos service entries define KDC instances, and _kpasswd service entries define password change service instances.

   Entries are tried in priority order (0 is the highest priority). Entries with the same priority are tried in random order. The _udp protocol records are required for _kerberos and _kpasswd entries.

3. Add TXT records to associate host names with realm names. The Kerberos protocol searches for a TXT record starting with the host name. If no TXT record is found, the first label is removed and the search is retried with the new name. This process continues until a TXT record is found or the root is reached. Note that the realm name is case-sensitive in the TXT record. The general format of a TXT record is as follows:

   service.name TTL class TXT realm

   For our configuration example, you can define the example KDCs for the two realms by adding the following records:

   _kerberos._udp.deptxyz.bogusname.com IN SRV 0 0 88 kdc1.deptxyz.bogusname.com
   _kerberos._tcp.deptxyz.bogusname.com IN SRV 0 0 88 kdc1.deptxyz.bogusname.com
   _kerberos._udp.deptabc.bogusname.com IN SRV 0 0 88 kdc2.deptabc.bogusname.com
   _kerberos._tcp.deptabc.bogusname.com IN SRV 0 0 88 kdc2.deptabc.bogusname.com
   _kpasswd._udp.deptxyz.bogusname.com IN SRV 0 0 464 kdc1.deptxyz.bogusname.com
   _kpasswd._tcp.deptxyz.bogusname.com IN SRV 0 0 464 kdc1.deptxyz.bogusname.com
   _kpasswd._udp.deptabc.bogusname.com IN SRV 0 0 464 kdc2.deptxyz.bogusname.com
   _kpasswd._tcp.deptabc.bogusname.com IN SRV 0 0 464 kdc2.deptxyz.bogusname.com

   For our configuration example, following the general form of a Kerberos TXT record, we can associate hosts in the deptxyz and deptabc domains to their respective realms with the following statements:

   _kerberos.deptxyz.bogusname.com IN TXT DEPTXYZ.BOGUSNAME.COM
   _kerberos.deptabc.bogusname.com IN TXT DEPTABC.BOGUSNAME.COM

   Here is a sample krb5.conf configuration file that specifies using DNS lookup:

   Sample krb5.conf configuration file

   ; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE ;

   [libdefaults]

   ;  The default_realm value 
   ;-default_realm = REALM1.ROCHESTER.IBM.COM default_realm = DEPTXYZ.BOGUSNAME.COM

   ; define the system to use DNS lookup use_dns_lookup = 1

   [realms]
   ; ; We could configure the same realm information here, but it would ; only be used if the DNS lookup failed.
   ;

   [domain_realm]
   ;  Convert host names to realm names.  Individual host names may be ;  specified.  Domain suffixes may be specified with a leading period ;  and will apply to all host names ending in that suffix.
   ; ; We will use DNS to resolve what realm a given host name belongs to.
   ;

   [capaths]
   ;  Configurable authentication paths define the trust relationships ;  between client and servers.  Each entry represents a client realm ;  and consists of the trust relationships for each server that can ;  be accessed from that realm.  A server may be listed multiple times ;  if multiple trust relationships are involved.  Specify '.' for ;  a direct connection.
   ;-REALM1.ROCHESTER.IBM.COM = {
   ;-    REALM2.ROCHESTER.IBM.COM = .
   ;;}
   DEPTXYZ.BOGUSNAME.COM = {     
   	DEPTABC.BOGUSNAME.COM = .
   }

Parent topic: