incomplete.io

krb5.conf

MIT and Heimdal Kerberos implementations take their configuration from krb5.conf. This isn't a complete reference to the inner workings of either, but refers to some options that aren't often enabled by default and can make life a lot easier in a controlled environment (ie, yours). Most distributions come with manual pages to describe valid parameters, options and syntax in more detail.

default_realm

The default_realm parameter allows us to specify a realm name to use when one isn't specified to the Kerberos tools and libraries by applications, services and users. Adding the line default_realm = INCOMPLETE.IO to the [libdefaults] section will cause any principal missing the realm name to have INCOMPLETE.IO as the realm name

Other realms may still be used if they're explicitly specified when used. For example, executing kinit alice@MUSICALCARRION.COM would cause the default_realm option parameter to be ignored.

dns_lookup_kdc

When set to true, this option allows the Kerberos libraries to use DNS to perform service discovery to locate Kerberos servers, including KDCs. This involves looking up service locator resource records (SRV RR) in DNS to find a suitable KDC or domain controller. This prevents the need to maintain KDC and other server entries in the krb5.conf files on each of your hosts. The hosts can simply look up the current list using DNS.

This approach doesn't support Active Directory's site-specific DNS-SD extensions, but that can be overcome a number of ways, including geo-aware DNS.

dns_canonicalize_hostname

Set true by default, this option causes the Kerberos library to try to use DNS to resolve a name back to it's canonical (definitive) name. When requesting a service ticket, for example, the client will resolve the service hostname to an IP address and then attempt to resolve that IP address back to a name -- often not the same as the first name.

This allows a host with a specific SPN to have multiple DNS aliases (either A/AAAA or CNAME records) that point to the same IP address without the need for additional SPNs.

In cases where reverse DNS may not match forward DNS (often the case), or in cases where specific SPNs are provided for specific aliases, this option can be set false.

The canonicalisation of the Kerberos Basics section describes canonicalisation in more detail.

rdns

Similar to the dns_canonicalize_hostname option, the rdns option controls whether reverse DNS lookups can be relied on in validating hostnames. In many cases, reverse and forward DNS zones may be controlled by different parties or may be otherwise different. This option is set true by default and can be set false to avoid relying on reverse DNS lookups.

simple example

[libdefaults]
    default_realm = INCOMPLETE.IO
    dns_lookup_kdc = true
    rdns = false
    dns_canonicalize_hostname = false
    
Twitter: @IncompleteIO