Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 670 — #696
i
i
i
i
i
i
i
i
To configure your Kerberos clients, add the following stanza to krb5.
conf (where kdc.sample.com is the host name of the KDC):
[libdefaults]
default_realm = SAMPLE.COM
[realms]
SAMPLE.COM = {
kdc = kdc.sample.com
kpasswd_server = kdc.sample.com
admin_server = kdc.sample.com
}
The default_realm line sets the default realm for Kerberos applications.
If you have several realms, just add another statement to the [realms]
section.
Also add a statement to this file that tells applications how to map host
names to a realm. For instance, when connecting to a remote host, the Ker-
beros library needs to know in which realm this host is located. This must
be configured in the [domain_realms] section:
[domain_realm]
.sample.com = SAMPLE.COM
www.foobar.com = SAMPLE.COM
This tells the library that all hosts in the sample.com DNS domains are
in the SAMPLE.COM Kerberos realm. In addition, one external host named
www.foobar.com should also be considered a member of the SAMPLE.
COM realm.
DNS-Based Configuration
DNS-based Kerberos configuration makes heavy use of SRV records. See
(RFC2052) A DNS RR for specifying the location of services at http://www.
ietf.org. These records are not supported in earlier implementations of
the BIND name server. At least BIND version 8 is required for this.
The name of an SRV record, as far as Kerberos is concerned, is always
in the format _service._proto.realm, where realm is the Kerberos
realm. Domain names in DNS are case insensitive, so case-sensitive
Kerberos realms would break when using this configuration method.
_service is a service name (different names are used when trying to con-
tact the KDC or the password service, for example). _proto can be either
_udp or _tcp, but not all services support both protocols.
670 26.6. Installing and Administering Kerberos