Kerberos is supposed to be a 3-headed dog, but I think it’s a bear…
I’m working with a customer who has a production AD this is also the user directory in their non-production dev and test environments. My immediate challenge is to demonstrate Kerberos in the DEV environment. I was hoping the Communities could lend some insight given this is a non-standard configuration that is not addressed in the Kerberos documentation and the internet searches I have conducted.
- Policy Server: SiteMinder r12.52 sp01 cr05 on Linux 64-bit, hostname=smps01.dev.company.com
- Login Server: IIS 7.5 on Windows 2008 R2, hostname=login.ad.company.com
- User Directory: AD on Windows 2008 R2, hostname=msad.corp.company.com
I want to establish a configuration in the DEV environment that is distinct from what will eventually be TEST and PROD Kerberos realms using the same AD infrastructure, i.e., someone who has authenticated to a DEV application does not gain access to TEST or PROD apps.
I have the following SPN’s:
I have tried various combinations of settings in krb5.conf, each yielding different errors which I have tried to research. This configuration of krb5.conf and the resulting error when I try kinit seems the most promising, so I’ll start here:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DEV.COMPANY.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /home/smuser/krb5/krbsvc-dev-smps.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
[realms]
DEV.COMPANY.COM = {
kdc = msad.ad.company.com
admin_server = msad.ad.company.com
default_domain = dev.company.com
}
[domain_realm]
.ad.company.com = DEV.COMPANY.COM
ad.company.com = DEV.COMPANY.COM
.dev.company.com = DEV.COMPANY.COM
dev.company.com = DEV.COMPANY.COM
The 'kinit' command fails as shown below:
[smuser@smps01 krb5]$ kinit krbsvc-dev-smps -V
Using default cache: /home/smadmin/krb5/cache/krb5cc
Using principal: krbsvc-dev-smps@DEV.COMPANY.COM
kinit: Realm not local to KDC while getting initial credentials
[smuser@smps01 krb5]$
Comments?