|Linux System Administration|
DNS discovery for MIT Kerberos V
With regard to the administration of any appreciable number of client machines, it is often recommended to maintain a predetermined set of DNS hostname aliases (CNAME records) to refer to the Kerberos servers on a network (see above). However, the flexibility of this approach is limited.
Support for a new mechanism for locating services through DNS was introduced with Kerberos V. It makes use of a relatively new DNS resource record type: SRV (see RFC-2782). Although DNS service discovery is not yet universally supported, it has the potential to save so much time and effort and is so easy to enable, that it is always good practice to configure it. Note, however, that if it is set up for the discovery of Kerberos services, but /etc/krb5.conf also contains information about where to find one or more KDCs, then the local settings will be preferred and no DNS queries will be made.
1. DNS SRV RR
To configure DNS service discovery for Kerberos V, just add a number of entries to the zone file for the domain example.com, such as these in BIND9 format:
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc1.example.com. _kerberos._udp.EXAMPLE.COM. IN SRV 20 0 88 kdc2.example.com. _kerberos-master._udp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. _kerberos-adm._tcp.EXAMPLE.COM. IN SRV 0 0 749 kdc1.example.com. _kpasswd._udp.EXAMPLE.COM. IN SRV 0 0 464 kdc1.example.com.
All of these records are composed as follows:
The underscores are used simply to avoid the possibility of duplicating preexisting DNS records, while the dot between the service and the protocol name, as well as between the protocol and the realm name, is just a separator.
The realm names in the DNS resource records shown above have only been left capitalized for the sake of clarity. This does no harm, but the fact is that such DNS entries are not case-sensitive, so they could just as well be written in lower case. Also, there are the trailing dots, which are important here because they prevent the DNS server from expanding both the entries and their targets with the name of the domain. However, since in this case the realm name and all of the domain names are the same when written in lower case, we can instead use omission of the trailing dots to cause BIND9 to complete the names with the zone's domain name and achieve exactly the same results:
_kerberos._udp IN SRV 10 0 88 kdc1 _kerberos._udp IN SRV 20 0 88 kdc2 _kerberos-master._udp IN SRV 0 0 88 kdc1 _kerberos-adm._tcp IN SRV 0 0 749 kdc1 _kpasswd._udp IN SRV 0 0 464 kdc1
Of the different types of Kerberos service records listed here, support for one of them, _kerberos-adm._tcp, is unfortunately not yet complete. Consequently, hosts that use MIT Kerberos V client software still must have an admin_server setting in their local /etc/krb5.conf configuration file. However, since a single alias can be used for this, it is not such a terrible disadvantage. The DNS service discovery option for it is included here anyway because it is easy to do so and it can assumed that support for it will be completed in the near future.
For Kerberos realms, DNS service discovery does have one minor limitation. Since DNS entries are not case-sensitive, this means that, within the same DNS domain, it is not possible to use DNS service discovery for two or more Kerberos realms that differ only in capitalization.
Once the correct SRV entries have been implemented, check that they are available. For instance, that the KDCs can be found:
~$ host -t SRV _kerberos._udp _kerberos._udp.example.com has SRV record 20 0 88 kdc2.example.com. _kerberos._udp.example.com has SRV record 10 0 88 kdc1.example.com. ~$ _
2. See also
3. Further reading