How to setup Kerberos realm without domain name











up vote
0
down vote

favorite












I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.



For this Ambari environment I'm essentially trying to set up Kerberos where



[libdefaults]
default_realm = FOOBAR


In fact, my current krb5.conf looks something like this:



[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR

[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log

[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}


/etc/hosts



{kdc ip address} FOOBAR kdc


One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?










share|improve this question






















  • "the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
    – Samson Scharfrichter
    Nov 15 at 8:26












  • Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
    – Samson Scharfrichter
    Nov 15 at 8:34












  • Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
    – Samson Scharfrichter
    Nov 15 at 8:40










  • For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
    – Koen De Couck
    Nov 16 at 18:51










  • So provide the options you used and make an answer, and then self-mark it as answered.
    – T-Heron
    Nov 17 at 15:48















up vote
0
down vote

favorite












I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.



For this Ambari environment I'm essentially trying to set up Kerberos where



[libdefaults]
default_realm = FOOBAR


In fact, my current krb5.conf looks something like this:



[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR

[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log

[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}


/etc/hosts



{kdc ip address} FOOBAR kdc


One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?










share|improve this question






















  • "the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
    – Samson Scharfrichter
    Nov 15 at 8:26












  • Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
    – Samson Scharfrichter
    Nov 15 at 8:34












  • Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
    – Samson Scharfrichter
    Nov 15 at 8:40










  • For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
    – Koen De Couck
    Nov 16 at 18:51










  • So provide the options you used and make an answer, and then self-mark it as answered.
    – T-Heron
    Nov 17 at 15:48













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.



For this Ambari environment I'm essentially trying to set up Kerberos where



[libdefaults]
default_realm = FOOBAR


In fact, my current krb5.conf looks something like this:



[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR

[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log

[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}


/etc/hosts



{kdc ip address} FOOBAR kdc


One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?










share|improve this question













I'm currently setting up Kerberos for an Ambari Hortonworks environment. For a number of reasons, I'm unable to use a distinct domain name as the realm name for this install. This is strange because - from what I read - the realm name is just set to the domain name by convention. In theory it can be any ASCII string.



For this Ambari environment I'm essentially trying to set up Kerberos where



[libdefaults]
default_realm = FOOBAR


In fact, my current krb5.conf looks something like this:



[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
#Not sure how to use this mapping property in this case
FOOBAR = FOOBAR
.FOOBAR = FOOBAR

[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log

[realms]
FOOBAR = {
admin_server = {admin ip adress}
kdc = {kdc ip address}
}


/etc/hosts



{kdc ip address} FOOBAR kdc


One ought to be able to short-circuit the DNS check with the hosts file. But I can't seem to get Kerberos working this way. All the documentation I found so far online describes the nice, safe setup following the DNS convention.
Can anyone point to a tutorial, or describe the necessary steps to make Kerberos work without a domain name?







hadoop kerberos






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 at 22:16









Koen De Couck

65831027




65831027












  • "the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
    – Samson Scharfrichter
    Nov 15 at 8:26












  • Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
    – Samson Scharfrichter
    Nov 15 at 8:34












  • Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
    – Samson Scharfrichter
    Nov 15 at 8:40










  • For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
    – Koen De Couck
    Nov 16 at 18:51










  • So provide the options you used and make an answer, and then self-mark it as answered.
    – T-Heron
    Nov 17 at 15:48


















  • "the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
    – Samson Scharfrichter
    Nov 15 at 8:26












  • Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
    – Samson Scharfrichter
    Nov 15 at 8:34












  • Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
    – Samson Scharfrichter
    Nov 15 at 8:40










  • For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
    – Koen De Couck
    Nov 16 at 18:51










  • So provide the options you used and make an answer, and then self-mark it as answered.
    – T-Heron
    Nov 17 at 15:48
















"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26






"the realm name is just set to the domain name by convention" > what do you mean by "domain"? A network domain, or an Active Directory domain (which is implicitly a Kerberos realm but spelled in lowercase)?
– Samson Scharfrichter
Nov 15 at 8:26














Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34






Kerberos is meant for strong athentication over an unsecure network. It requires a DNS authority and proper DNS config (reverse lookups) to reduce its attack surface. Also requires that systems clocks be in sync, etc etc. Security is not something you ask an intern to set up in 10 min after two beers, sorry...
– Samson Scharfrichter
Nov 15 at 8:34














Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
– Samson Scharfrichter
Nov 15 at 8:40




Replace {admin ip adress} with {canonical DNS name of the host running a KDC service on default port 88} or specify another port if necessary; if you have a pool of KDCs (which is really a good idea for obvious availability reasons) then add one line per KDC, and check about the Java-specific entry about timeout (that was undocumented before Java9 and also had a silly default of 30s)
– Samson Scharfrichter
Nov 15 at 8:40












For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51




For future readers; I did manage to get this working using a non-registered DNS name. I did not find any tutorials on this, so I just spend some time flipping config options on/off.
– Koen De Couck
Nov 16 at 18:51












So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48




So provide the options you used and make an answer, and then self-mark it as answered.
– T-Heron
Nov 17 at 15:48












1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)



[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
FOOBAR = FOOBAR
.FOOBAR = FOOBAR

[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log

[realms]
FOOBAR = {
admin_server = {admin_server ip}
kdc = {kdc_server ip}
}


In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53290348%2fhow-to-setup-kerberos-realm-without-domain-name%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)



    [libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = FOOBAR
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

    [domain_realm]
    FOOBAR = FOOBAR
    .FOOBAR = FOOBAR

    [logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

    [realms]
    FOOBAR = {
    admin_server = {admin_server ip}
    kdc = {kdc_server ip}
    }


    In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.






    share|improve this answer

























      up vote
      0
      down vote



      accepted










      Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)



      [libdefaults]
      renew_lifetime = 7d
      forwardable = true
      default_realm = FOOBAR
      ticket_lifetime = 24h
      dns_lookup_realm = false
      dns_lookup_kdc = false
      default_ccache_name = /tmp/krb5cc_%{uid}
      #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
      #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

      [domain_realm]
      FOOBAR = FOOBAR
      .FOOBAR = FOOBAR

      [logging]
      default = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
      kdc = FILE:/var/log/krb5kdc.log

      [realms]
      FOOBAR = {
      admin_server = {admin_server ip}
      kdc = {kdc_server ip}
      }


      In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.






      share|improve this answer























        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)



        [libdefaults]
        renew_lifetime = 7d
        forwardable = true
        default_realm = FOOBAR
        ticket_lifetime = 24h
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_ccache_name = /tmp/krb5cc_%{uid}
        #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
        #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

        [domain_realm]
        FOOBAR = FOOBAR
        .FOOBAR = FOOBAR

        [logging]
        default = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
        kdc = FILE:/var/log/krb5kdc.log

        [realms]
        FOOBAR = {
        admin_server = {admin_server ip}
        kdc = {kdc_server ip}
        }


        In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.






        share|improve this answer












        Given the lack of helpful response I'll just share what I end up using (works but might not be optimal)



        [libdefaults]
        renew_lifetime = 7d
        forwardable = true
        default_realm = FOOBAR
        ticket_lifetime = 24h
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_ccache_name = /tmp/krb5cc_%{uid}
        #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
        #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

        [domain_realm]
        FOOBAR = FOOBAR
        .FOOBAR = FOOBAR

        [logging]
        default = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
        kdc = FILE:/var/log/krb5kdc.log

        [realms]
        FOOBAR = {
        admin_server = {admin_server ip}
        kdc = {kdc_server ip}
        }


        In addition, be sure to add the ip addresses and hostnames for all machines in the cluster to /etc/hosts files.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 19 at 15:16









        Koen De Couck

        65831027




        65831027






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53290348%2fhow-to-setup-kerberos-realm-without-domain-name%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

            How to change which sound is reproduced for terminal bell?

            Can I use Tabulator js library in my java Spring + Thymeleaf project?