Incorrect or Missing Kerberos Configuration

Every client needs to know two things: the realm that every host it wishes to communicate with belongs to, and the KDCs that are responsible for those realms. Therefore, a client requires a mapping between domain names and realms, as well as realms and their KDCs. Traditionally, these mappings are hardcoded inside a configuration file, /etc/krb5.conf , on Unix hosts. However, with the advent of Windows 2000, DNS realm and KDC mapping is becoming more popular, as Windows 2000 and above use DNS to find realm and KDC information by default.

Either way that your realm (and other realms your hosts may communicate with) handles its Kerberos configuration, incorrect or missing Kerberos configuration information will cause requests for tickets to fail, sometimes silently—giving no error messages to point toward the cause of failure, or worse yet, misleading error messages that give no indication of the root cause of failure.

Let’s begin with some simple examples from a Unix client running MIT. Our client has no /etc/krb5.conf file. If there is a pre-existing credential cache (pointed to by the environment variable KRB5CCACHE, by default /tmp/krb5cc_UID where UID is the Unix UID of the current user), then kinit will request a ticket as that principal from the KDC. When there is no pre-existing credential cache, MIT kinit forms the user principal by using the Unix username as the username portion of the principal, and the realm is determined by ...

Get Kerberos: The Definitive Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.