[38002] in Kerberos
Local realm referral failed; trying fallback realm HADOOP.COM
daemon@ATHENA.MIT.EDU (pratyush parimal)
Sat Jun 17 14:26:44 2017
MIME-Version: 1.0
From: pratyush parimal <pratyush.parimal@gmail.com>
Date: Sat, 17 Jun 2017 14:26:25 -0400
Message-ID: <CALvRNOHGTMAGj-KmJX0JJ8=yHdmoTcB3P5X-qU69-FJGaEbo2g@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi everyone,
I'm trying to set up cross-realm authentication so that a user in realm
EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths
section to my krb5.conf for the same:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = examplekdc.example.com
admin_server = examplekdc.example.com
}
HADOOP.COM = {
kdc = hadoopkdc.hadoop.com
admin_server = hadoopkdc.hadoop.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[capaths]
HADOOP.COM = {
EXAMPLE.COM = .
}
I've also added the required principal krbtgt/HADOOP.COM@EXAMPLE.COM to
both the KDC's. So far, everything is working and my application is able to
do what it needs to.
What I'm concerned about is the following line in my trace log on
EXAMPLE.COM:
[158447] 1497720267.441664: TGS request result: -1765328377/Server
myservice/hadoopkdc.hadoop.com@EXAMPLE.COM not found in Kerberos database
[158447] 1497720267.441680: Local realm referral failed; trying fallback
realm HADOOP.COM
My questions are the following:
(1) what exactly is this local realm referral? Is this kerberos jargon for
cross realm requests?
(2) why would the local realm referral fail ? How do I explicitly specify
how I want the local realm referral to occur?
(3) What is the meaning of a fallback realm? And how do I specify one?
As you can see from my krb5.conf, I haven't specified the fallback realm or
referrals explicitly, so I think kerberos is picking up default values for
them. I want to know how I can specify them explicitly.
Thanks in advance !
Pratyush
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
