ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhdefinerealmsdns.htm

122 lines
6.7 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Define realms in the DNS database" />
<meta name="abstract" content="Define realms in the DNS database to resolve host names." />
<meta name="description" content="Define realms in the DNS database to resolve host names." />
<meta name="DC.Relation" scheme="URI" content="rzakhmanage.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="definerealmsdns" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Define realms in the DNS database</title>
</head>
<body id="definerealmsdns"><a name="definerealmsdns"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Define realms in the DNS database</h1>
<div><p>Define realms in the DNS database to resolve host names.</p>
<div class="section"><p>Network authentication service allows you to use the DNS server
to resolve host names. To do this, you need to add a server (SRV) record and
text (TXT) record for each key distribution center in the realm. The Kerberos
protocol searches for an SRV record using the realm name as the DNS search
name. </p>
<p>To define realms with DNS, complete the following steps: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzakhhost.htm#rzakhhost">Set the configuration file
to use DNS</a>.</span></li>
<li class="stepexpand"><span>Add SRV records to your DNS server for each KDC server in the realm. </span> The Kerberos run time searches for an SRV record by using the realm
name as the search name. Note that DNS searches are not case-sensitive, so
you cannot have two different realms whose names differ only in their case. The general form of the Kerberos SRV record is as follows:<pre>service.protocol.realm TTL class SRV priority weight port target</pre>
<p>The _kerberos service entries define KDC instances, and
_kpasswd service entries define password change service instances.</p>
<p>Entries
are tried in priority order (0 is the highest priority). Entries with the
same priority are tried in random order. The _udp protocol records are required
for _kerberos and _kpasswd entries.</p>
</li>
<li class="stepexpand"><span>Add TXT records to associate host names with realm names. </span> The Kerberos protocol searches for a TXT record starting with the host
name. If no TXT record is found, the first label is removed and the search
is retried with the new name. This process continues until a TXT record is
found or the root is reached. Note that the realm name is case-sensitive in
the TXT record. The general format of a TXT record is as follows:<pre>service.name TTL class TXT realm</pre>
<p>For
our configuration example, you can define the example KDCs for the two realms
by adding the following records: </p>
<div class="p"><p><tt>_kerberos._udp.deptxyz.bogusname.com IN SRV 0 0 88 kdc1.deptxyz.bogusname.com<br />
_kerberos._tcp.deptxyz.bogusname.com IN SRV 0 0 88 kdc1.deptxyz.bogusname.com<br />
_kerberos._udp.deptabc.bogusname.com IN SRV 0 0 88 kdc2.deptabc.bogusname.com<br />
_kerberos._tcp.deptabc.bogusname.com IN SRV 0 0 88 kdc2.deptabc.bogusname.com<br />
_kpasswd._udp.deptxyz.bogusname.com IN SRV 0 0 464 kdc1.deptxyz.bogusname.com<br />
_kpasswd._tcp.deptxyz.bogusname.com IN SRV 0 0 464 kdc1.deptxyz.bogusname.com<br />
_kpasswd._udp.deptabc.bogusname.com IN SRV 0 0 464 kdc2.deptxyz.bogusname.com<br />
_kpasswd._tcp.deptabc.bogusname.com IN SRV 0 0 464 kdc2.deptxyz.bogusname.com</tt></p>
</div>
<p>For
our configuration example, following the general form of a Kerberos TXT record,
we can associate hosts in the deptxyz and deptabc domains to their respective
realms with the following statements: </p>
<div class="p"><p>_kerberos.deptxyz.bogusname.com IN TXT DEPTXYZ.BOGUSNAME.COM<br />
_kerberos.deptabc.bogusname.com IN TXT DEPTABC.BOGUSNAME.COM</p>
</div>
<p>Following
is a sample <strong>krb5.conf</strong> configuration file that specifies using DNS lookup:</p>
<p><strong>Sample
krb5.conf configuration file</strong></p>
<div class="p"> <pre>; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE
;</pre>
<pre>[libdefaults]</pre>
<pre>; The default_realm value
;-default_realm = REALM1.ROCHESTER.IBM.COM
default_realm = DEPTXYZ.BOGUSNAME.COM</pre>
<pre>; define the system to use DNS lookup
use_dns_lookup = 1</pre>
<pre>[realms]
;
; We could configure the same realm information here, but it would
; only be used if the DNS lookup failed.
;</pre>
<pre>[domain_realm]
; Convert host names to realm names. Individual host names may be
; specified. Domain suffixes may be specified with a leading period
; and will apply to all host names ending in that suffix.
;
; We will use DNS to resolve what realm a given host name belongs to.
;</pre>
<pre>[capaths]
; Configurable authentication paths define the trust relationships
; between client and servers. Each entry represents a client realm
; and consists of the trust relationships for each server that can
; be accessed from that realm. A server may be listed multiple times
; if multiple trust relationships are involved. Specify '.' for
; a direct connection.
;-REALM1.ROCHESTER.IBM.COM = {
;- REALM2.ROCHESTER.IBM.COM = .
;;}
DEPTXYZ.BOGUSNAME.COM = {
DEPTABC.BOGUSNAME.COM = .
}</pre>
</div>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhmanage.htm" title="Manage network authentication service by requesting tickets, working with key table files, and administering host name resolution. You can also work with credentials files and back up configuration files.">Manage network authentication service</a></div>
</div>
</div>
</body>
</html>