DNS setup for use with Kerberos

Binding the world to your domain

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Telling the world
    2. Servicing the world
    3. An example

Telling the world

The first thing we need to tell the world is what the Kerberos realm is for our domain. The advise for a realm name is to use the uppercase version of your domain name. The easiest way to let the world know what the realm name is for your domain is by using DNS, since DNS is already made to tell the world what the servers and services are on your network. The realm name is provided by a TXT-record called _kerberos. For the example.com domain that would be something like this:

$ORIGIN example.com.
_kerberos              	TXT     "EXAMPLE.COM"

Servicing the world

The different SRV records defined for kerberos use are:

_kerberos._udp
The default port is 88 and is used to contact the KDC for almost everything.
_kerberos._tcp
Default port is 88, but the MIT KDC is per default not listening on the TCP port, so it is of no use to us (see kdc_tcp_ports in the kdc.conf file).
_kerberos-master._udp
Default port is 88 and should point to the KDC that sees password changes the first. If a user gets a 'wrong password' from e.g. a slave KDC, then this server will be contacted to verify it the password was really incorrect or that the slave was just not updated in time.
_kerberos-adm._tcp
The default port is 749 and should be used by the kadmin utilities, but our MIT version didn't support it, thus you need the admin_server setting in the krb5.conf file (see later).
_kpasswd._udp
The default is port 464 on the master KDC and is used when a user changes his or her password.
_kerberos-iv._udp
Only used for kerberos V.4, which we do not use.

An example

$ORIGIN example.com. 
_kerberos              	TXT     "EXAMPLE.COM"
krb5                 	A       192.168.1.5
krb5-slave1		A	192.168.1.6
krb5-slave2		A	192.168.1.7

$ORIGIN _tcp.example.com.
_kerberos-adm      	SRV     0 0 749 krb5.example.com.

$ORIGIN _udp.example.com. 
_kerberos               SRV     0 0 88 krb5-slave1.example.com.
                        SRV     0 0 88 krb5-slave2.example.com.
_kerberos-master        SRV     0 0 88 krb5.example.com. 
_kpasswd                SRV     0 0 464 krb5.example.com.