Kerberos ini file modification
I have a user that cannot connect to the KE Server because they're using a different Domain Controller (DC) server that is not defined in the krb5.ini file. How do I update the file? add a new [realm] statement in addition to the one already there? What's the syntax? Here's what it looks like now...
[realms]
XX.YYY.COM = {
kdc = DCSERVER1.XX.YYY.com
admin_server = DCSERVER1.XX.YYY.com
default_domain = XX.YYY.COM
}
Do I just add another Domain Controller server here? (e.g.)
XX.YYY.COM = {
kdc = DCSERVER2.XX.YYY.com
admin_server = DCSERVER2.XX.YYY.com
default_domain = XX.YYY.COM
}
And most importantly, what happens if there are many DC's? Do I need to add them all?
There's got to be a better method, no?
Comments
-
Hi Bryan,
Here is the sample krb5.ini (from our "Integrating KE with AD using Kerberos" document):
[libdefaults]
default_realm=INTERNAL.EXAMPLE.COM
default_tkt_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes=rc4-hmac des-cbc-md5 des-cbc-crc des3-cbc-sha1
dns_lookup_kdc=true
noaddress=false
kdc_req_checksum_type=2
ccache_type=2
ticket_lifetime=600
[realms]
INTERNAL.EXAMPLE.COM = {
kdc = AD01.INTERNAL.EXAMPLE.COM
admin_server = AD01.INTERNAL.EXAMPLE.COM
default_domain = INTERNAL.EXAMPLE.COM
}
CHILD1.INTERNAL.EXAMPLE.COM = {
kdc = PROLDAP01.CHILD1.INTERNAL.EXAMPLE.COM
admin_server = PROLDAP01.CHILD1.INTERNAL.EXAMPLE.COM
default_domain = CHILD1.INTERNAL.EXAMPLE.COM
}
[domain_realm]
.internal.example.com = INTERNAL.EXAMPLE.COM
Internal.example.com = INTERNAL.EXAMPLE.COM
.child1.internal.example.com = CHILD1.INTERNAL.EXAMPLE.COM
child1.internal.example.com = CHILD1.INTERNAL.EXAMPLE.COM
[appdefaults]
Autologin = true
Forward = true
Forwardable = true
Encrypt = true
Here you can see how the child, or additional domain should be specified. When users login via the non-default domain they will need to include their full domain name when logging in, so:
-removed- // Password
Thanks,
Matt
---
Note: Some information in this post has been hidden to protect privacy.0 -
Hi Matt,
How r u - hope all's well & thx 4 your response.
I have seen that info and what I've gathered is that there are multiple "children" servers per domain. Correct me if I'm wrong, but although there's only one default domain, there can be many children (or logon servers) per domain - the question is "Does each one of the CHILD domain servers need to be included in the krb5 ini file to ensure that all possible KES user logins are successful?" BTW: That is my assumption and was hoping there's a better method.
We have lots of domain servers...and it'd be a nightmare to manually manage from a 'krb5.ini' file.
0 -
Hey Bryan,
Well, the child portion is for child, or sub-domains. So let's say your default realm is 'JNJ.com'. Next, the users are subdivided on child realms. So for instance you would be in NorthAmerica.JNJ.com. Let's say there is a user based in Africa, thus they would get placed in the child realm of Africa.JNJ.com.
You need to represent at least one Domain Controller for each of these sub, or child, realms in the [realms] and [domain_realms] sections.
Regards,
Matt
0
Categories
- All Categories
- 123 Developer Announcements
- 54 Articles
- 155 General Questions
- 149 Thrust Services
- 57 Developer Hackathon
- 37 Thrust Studio
- 20.6K Analytics
- 4.2K AppWorks
- 9K Extended ECM
- 918 Core Messaging
- 84 Digital Asset Management
- 9.4K Documentum
- 33 eDOCS
- 190 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management
- 10 XM Fax
- Follow Categories
