RJ Systems
Linux System Administration
Home Tech Linux Links Consulting

Valid XHTML 1.0!

Valid CSS!

IPv6 test

DNS discovery for MIT Kerberos V


With regard to the administration of any appreciable number of client machines, it is often recommended to maintain a predetermined set of DNS hostname aliases (CNAME records) to refer to the Kerberos servers on a network (see above). However, the flexibility of this approach is limited.

Support for a new mechanism for locating services through DNS was introduced with Kerberos V. It makes use of a relatively new DNS resource record type: SRV (see RFC-2782). Although DNS service discovery is not yet universally supported, it has the potential to save so much time and effort and is so easy to enable, that it is always good practice to configure it. Note, however, that if it is set up for the discovery of Kerberos services, but /etc/krb5.conf also contains information about where to find one or more KDCs, then the local settings will be preferred and no DNS queries will be made.


To configure DNS service discovery for Kerberos V, just add a number of entries to the zone file for the domain example.com, such as these in BIND9 format:

_kerberos._udp.EXAMPLE.COM.         IN  SRV  10  0   88  kdc1.example.com.
_kerberos._udp.EXAMPLE.COM.         IN  SRV  20  0   88  kdc2.example.com.
_kerberos-master._udp.EXAMPLE.COM.  IN  SRV   0  0   88  kdc1.example.com.
_kerberos-adm._tcp.EXAMPLE.COM.     IN  SRV   0  0  749  kdc1.example.com.
_kpasswd._udp.EXAMPLE.COM.          IN  SRV   0  0  464  kdc1.example.com.

All of these records are composed as follows:

  1. A name that starts with an underscore followed by the name of the service. See /etc/services for a list of protocol names. KDCs use the "kerberos" protocol.
  2. An underscore followed by the name of the protocol, such as TCP or UDP.
  3. The name of the realm (without a prepended underscore) followed by a trailing dot.
  4. The IN (Internet) data class indicator.
  5. The SRV (service) resource record type indicator.
  6. A priority value within a range of 0-65535; lower values have higher priorities.
  7. A weight value within a range of 0-65535. Used for simple load-balancing among identical services with equal priority values. Employs a probabilistic algorithm to give preference to hosts with higher weight values. A value of 0 disables it.
  8. The port number (e.g. TCP or UDP) on which the service listens.
  9. The target: FQDN (no aliases!) of the host that provides the service followed by a trailing dot.

The underscores are used simply to avoid the possibility of duplicating preexisting DNS records, while the dot between the service and the protocol name, as well as between the protocol and the realm name, is just a separator.

The realm names in the DNS resource records shown above have only been left capitalized for the sake of clarity. This does no harm, but the fact is that such DNS entries are not case-sensitive, so they could just as well be written in lower case. Also, there are the trailing dots, which are important here because they prevent the DNS server from expanding both the entries and their targets with the name of the domain. However, since in this case the realm name and all of the domain names are the same when written in lower case, we can instead use omission of the trailing dots to cause BIND9 to complete the names with the zone's domain name and achieve exactly the same results:

_kerberos._udp		            IN  SRV  10  0   88  kdc1
_kerberos._udp		            IN  SRV  20  0   88  kdc2
_kerberos-master._udp               IN  SRV   0  0   88  kdc1
_kerberos-adm._tcp	            IN  SRV   0  0  749  kdc1
_kpasswd._udp		            IN  SRV   0  0  464  kdc1

Of the different types of Kerberos service records listed here, support for one of them, _kerberos-adm._tcp, is unfortunately not yet complete. Consequently, hosts that use MIT Kerberos V client software still must have an admin_server setting in their local /etc/krb5.conf configuration file. However, since a single alias can be used for this, it is not such a terrible disadvantage. The DNS service discovery option for it is included here anyway because it is easy to do so and it can assumed that support for it will be completed in the near future.

For Kerberos realms, DNS service discovery does have one minor limitation. Since DNS entries are not case-sensitive, this means that, within the same DNS domain, it is not possible to use DNS service discovery for two or more Kerberos realms that differ only in capitalization.

Once the correct SRV entries have been implemented, check that they are available. For instance, that the KDCs can be found:

~$ host -t SRV _kerberos._udp
_kerberos._udp.example.com has SRV record 20 0 88 kdc2.example.com.
_kerberos._udp.example.com has SRV record 10 0 88 kdc1.example.com.
~$ _

2. See also
3. Further reading
  • Eastlake D, Panitz A. 1999. RFC2606 − Reserved Top Level DNS Names. The Internet Society. HTML at the Internet FAQ Archives.
  • Gulbrandsen A, Vixie P, Esibov L. 2000. RFC2782 − A DNS RR for specifying the location of services (DNS SRV). The Internet Society. HTML at the Internet FAQ Archives.
  • Kohl J, Neuman C. 1993. RFC1510 − The Kerberos Network Authentication Service (V5). HTML at the Internet FAQ Archives.

4. Sources
  • Aitchison R. 2005. Pro DNS and Bind. Apress. ISBN 1-59059-494-0. 571 pp. See pages 464-465.
  • Garman J. 2003. Kerberos, The Definitive Guide. O'Reilly & Associates, Inc. ISBN-13 978-0-596-00403-3. 253 pp. See page 78-79.
  • Liu C, Albitz P. 2006. DNS and BIND. Fifth Edition. O'Reilly & Associates, Inc. ISBN-13 978-0-596-10057-5. 616 pp. See pages 498-500.
  • Massachusetts Institute of Technology. 1985-2007. Kerberos V5 System Administrator's Guide. HTML at the Massachusetts Institute of Technology (MIT). See section 4: Using DNS.
  • Milicchio F, Gehrke WA. 2007. Distributed Services with OpenAFS. Springer-Verlag. ISBN-13 978-3-540-36633-1. 395 pp. See page 51.
  • Ocelic D. 2006-2010. Debian GNU: Setting up MIT Kerberos 5. HTML at Spinlock Solutions. See section PAM configuration.

Last modified: 2010-11-23, 10:26

©2003-2014 RJ Systems. Permission is granted to copy, distribute and/or modify the
content of this page under the terms of the OpenContent License, version 1.0.