0

The Kerberos principals are usually defined as role/host@REALM. How is the host field used over here?

Does it enforces that only that particular host can get a Kerberos ticket whenever kinit is run?

  • If yes, then it makes sense for proper DNS to be setup.
  • If no, how is the hostname useful?

I created a principal with name xyz/garbage@REALM in the kadmin.local panel, downloaded the keytab and distributed it to a different host machine. I tried to do kinit using this keytab and it worked.

Is that the correct behavior? How do I check if my Kerberos is using DNS or not?

U880D
  • 8,601
  • 6
  • 24
  • 40
LearningToCode
  • 631
  • 1
  • 12
  • 23

1 Answers1

2

The behavior is correct and the host part is not tied to the physical host. You can roam with your keytab.

Consider that you can use different DNS zones outside of your realm names for load-balanced services sharing one http/fancyhostname.company.io@AD.COMPANY.COM in a keytab. In such a case domain_realm section is used or Kerberos Forest Search Order (KFSO) in Windows.

DNS comes into play to discover the Key Distribution Center (KDC) and make TXT lookups instead of domain_realm stuff (does not apply to Windows).

U880D
  • 8,601
  • 6
  • 24
  • 40
Michael-O
  • 18,123
  • 6
  • 55
  • 121