Should domain_realm point to a domain controller or KDC, or is it just the default_realm name?

Question

In /etc/krb5.conf, given the folowing default_realm, should [realms].default_domain point at the default_realm or a Domain Controller (DC) or Key Distribution Denter (KDC)?

ada and adb are Windows Server DCs & KDCs. The domain members are systems running supported Ubuntu Server releases, joined as domain members through Samba and Winbind.

The DCs provide authentication for logging in through ssh and accessing SMB shares that reside on the Ubuntu servers. This is used to control what domain users and groups can or can access on various Ubuntu servers.

Ex 1:

[libdefaults]
ticket_lifetime = 24h
default_realm = DEPT.EXMAMPLE.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
dns_fallback = yes

[realms]
DEPT.EXMAMPLE.COM = {
  kdc = ada.dept.example.com
  kdc = adb.dept.example.com
  admin_server = ada.dept.example.com
  master_kdc = ada.dept.example.com
  default_domain = dept.example.com
}

[domain_realm]
.dept.example.com = DEPT.EXMAMPLE.COM
dept.example.com = DEPT.EXMAMPLE.COM

Ex2

[libdefaults]
ticket_lifetime = 24h
default_realm = DEPT.EXMAMPLE.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
dns_fallback = yes

[realms]
DEPT.EXMAMPLE.COM = {
  kdc = ada.dept.example.com
  kdc = adb.dept.example.com
  admin_server = ada.dept.example.com
  master_kdc = ada.dept.example.com
  default_domain = dept.example.com
}

[domain_realm]
.dept.example.com = ADA.DEPT.EXMAMPLE.COM
dept.example.com = ADA.DEPT.EXMAMPLE.COM

Both configurations seem to work on a number of Ubuntu Servers, but I don't understand why, or which is correct.

score 1 · Accepted Answer · edited Jun 11 '20 at 10:02

Your ex1 is correct, ex2 invalid.

From man page:

[realms]
Contains subsections keyed by Kerberos realm names which describe where to find the Kerberos servers for a particular realm, and other realm-specific information.
[domain_realm]
Contains relations which map subdomains and domain names to Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name.

and details about DOMAIN_REALM section:

The [domain_realm] section provides a translation from a hostname to the Kerberos realm name for the services provided by that host.

The tag name can be a hostname, or a domain name, where domain names are indicated by a prefix of a period ('.') character. The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case.

If no translation entry applies, the host's realm is considered to be the hostname's domain portion

So it must not point directly to a (K)DC but to a realm, and is a mapping a bit more specifical than default_realm. In Your simple setup it is not needed at all, because .dept.example.com = DEPT.EXMAMPLE.COM is exactly what happens if there is no applying translation entry.
Thought dept.example.com = DEPT.EXMAMPLE.COM could kick in, but I doubt it is needed as You have the global default_realm specified which should be used if there is no definition of realm EXMAMPLE.COM found.

Dear @EOhm, are the Kerberos servers also the AD controllers? — Louis Waweru, Oct 31 '19 at 11:36
Dear @Louis from what I know each AD Domain Controller has also a KDC service running for the domain it is controller for by definition. But I'm not a Windows Admin so they may be special configurations that I'm not aware of. — EOhm, Oct 31 '19 at 11:44

Should domain_realm point to a domain controller or KDC, or is it just the default_realm name?

Ex 1:

Ex2

1 Answers1