How to setup Kerberos realm without domain name
up vote
0
down vote
favorite
I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.
For this Ambari environment I'm essentially trying to set up Kerberos where
[libdefaults]
default_realm = FOOBAR
In fact, my current krb5.conf looks something like this:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}
/etc/hosts
{kdc ip address} FOOBAR kdc
One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?
hadoop kerberos
asked Nov 13 at 22:16
Koen De Couck
65831027
add a comment |
up vote
0
down vote
favorite
I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.
For this Ambari environment I'm essentially trying to set up Kerberos where
[libdefaults]
default_realm = FOOBAR
In fact, my current krb5.conf looks something like this:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}
/etc/hosts
{kdc ip address} FOOBAR kdc
One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?
hadoop kerberos
asked Nov 13 at 22:16
Koen De Couck
65831027
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Replace{admin ip adress}with{canonical DNS name of the host running a KDC service on default port 88}or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
– Samson Scharfrichter
Nov 15 at 8:40
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.
For this Ambari environment I'm essentially trying to set up Kerberos where
[libdefaults]
default_realm = FOOBAR
In fact, my current krb5.conf looks something like this:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}
/etc/hosts
{kdc ip address} FOOBAR kdc
One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?
hadoop kerberos
asked Nov 13 at 22:16
Koen De Couck
65831027
I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.
For this Ambari environment I'm essentially trying to set up Kerberos where
[libdefaults]
default_realm = FOOBAR
In fact, my current krb5.conf looks something like this:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}
/etc/hosts
{kdc ip address} FOOBAR kdc
One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?
hadoop kerberos
hadoop kerberos
asked Nov 13 at 22:16
Koen De Couck
65831027
asked Nov 13 at 22:16
Koen De Couck
65831027
asked Nov 13 at 22:16
Koen De Couck
65831027
asked Nov 13 at 22:16
Koen De Couck
65831027
asked Nov 13 at 22:16
Koen De Couck
65831027
65831027
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Replace{admin ip adress}with{canonical DNS name of the host running a KDC service on default port 88}or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
– Samson Scharfrichter
Nov 15 at 8:40
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48
add a comment |
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Replace{admin ip adress}with{canonical DNS name of the host running a KDC service on default port 88}or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
– Samson Scharfrichter
Nov 15 at 8:40
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Replace
{admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)– Samson Scharfrichter
Nov 15 at 8:40
Replace
{admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)– Samson Scharfrichter
Nov 15 at 8:40
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}
In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.
answered Nov 19 at 15:16
Koen De Couck
65831027
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}
In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.
answered Nov 19 at 15:16
Koen De Couck
65831027
add a comment |
up vote
0
down vote
accepted
Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}
In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.
answered Nov 19 at 15:16
Koen De Couck
65831027
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}
In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.
answered Nov 19 at 15:16
Koen De Couck
65831027
Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}
In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.
answered Nov 19 at 15:16
Koen De Couck
65831027
answered Nov 19 at 15:16
Koen De Couck
65831027
answered Nov 19 at 15:16
Koen De Couck
65831027
answered Nov 19 at 15:16
Koen De Couck
65831027
65831027
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53290348%2fhow-to-setup-kerberos-realm-without-domain-name%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26
Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34
Replace
{admin ip adress}with{canonical DNS name of the host running a KDC service on default port 88}or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)– Samson Scharfrichter
Nov 15 at 8:40
For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51
So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48