Why does "Local realm referral" fail with MIT-Kerberos?

I'm trying to set up cross-realm authentication between 2 KDC's (EXAMPLE.COM & HADOOP.COM) so that a user in realm EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths section to my krb5.conf for the same:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h 
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = { 
  kdc = examplekdc.example.com
  admin_server = examplekdc.example.com
 }

 HADOOP.COM = { 
  kdc = hadoopkdc.hadoop.com
  admin_server = hadoopkdc.hadoop.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[capaths]
 HADOOP.COM = { 
  EXAMPLE.COM = . 
 }

I've also added the required principal krbtgt/HADOOP.COM@EXAMPLE.COM to both the KDC's. So far, everything is working and my application is able to do what it needs to.

What I'm concerned about is the following line in my trace log on EXAMPLE.COM:

[158447] 1497720267.441664: TGS request result: -1765328377/Server myservice/hadoopkdc.hadoop.com@EXAMPLE.COM not found in Kerberos database
[158447] 1497720267.441680: Local realm referral failed; trying fallback realm HADOOP.COM

My questions are the following:

  1. what exactly is this local realm referral? Is this kerberos jargon for cross realm requests?
  2. why would the local realm referral fail ? How do I explicitly specify how I want the local realm referral to occur?
  3. What is the meaning of a fallback realm? And how do I specify one?

As you can see from my krb5.conf, I haven't specified the fallback realm or referrals explicitly, so I think kerberos is picking up default values for them. I want to know how I can specify them explicitly.

1 answer

  • answered 2017-06-17 18:44 Sam Hartman

    [158447] 1497720267.441664: TGS request result: -1765328377/Server myservice/hadoopkdc.hadoop.com@EXAMPLE.COM not found in Kerberos database
    

    Your client asked the KDC for the service principal. Your KDC didn't know how to find the realm for that principal. I believe that if you add an entry in the [domain_realms] section of krb5.conf used by the EXAMPLE.COM KDC with contents like

    [domain_realms]
        .hadoop.com = HADOOP.COM
    

    Then the KDC will know that hosts ending in hadoop.com are served by the HADOOP.COM realm and will try the referral itself.

    [158447] 1497720267.441680: Local realm referral failed; trying fallback realm HADOOP.COM
    

    This is produced in the try_fallback function in src/lib/krb5/krb/get_creds.c when the client gets an error from the KDC on its first request. The client is a bit more aggressive in guessing the realm of a service than the KDC, because if the client can't guess, the request will fail. The client tries HADOOP.COM because its last resort guess is to strip off the hostname and try the upper case domain name. If you configure the KDC correctly, then you'll save one request. Windows hosts are likely to care more about correct configuration of the KDC than MIT Kerberos does.