I have a Linux web server that is looking for a Kerberos realm. I need to give it a .keypass file, which I can do. However, what's really getting me is the KDC. I cannot determine the parent KDC, and I don't know which server would be the admin server. Also, I'm not sure how to go about the process with Ktpass. Has anyone done this before, if so, how did you do it?
我有一个正在寻找Kerberos领域的Linux Web服务器。我需要给它一个.keypass文件,我可以做。然而,真正让我感到的是KDC。我无法确定父KDC,我不知道哪个服务器是管理服务器。另外,我不确定如何使用Ktpass进行此过程。有没有人以前做过这个,如果有的话,你是怎么做到的?
This has been really frustrating me as I know the architectural process, but I can't figure it out in a Windows domain with multiple DCs. The linux portion isn't a problem, I know what to do where, but I have no idea how to pull that information from Windows in a way that Tomcat can read.
这让我非常沮丧,因为我知道架构过程,但我无法在具有多个DC的Windows域中弄明白。 linux部分不是问题,我知道该怎么做,但我不知道如何以Tomcat可以读取的方式从Windows中提取该信息。
Any help would be appreciated. Thanks!
任何帮助,将不胜感激。谢谢!
1 个解决方案
#1
1
In theory, you can map any machine in an DNS domain to any kerberos realm by getting every machine involved to use the same krb5.conf file. However, in practice the machine with DNS name web.foo.com is in the realm FOO.COM.
理论上,您可以通过让所涉及的每台计算机使用相同的krb5.conf文件,将DNS域中的任何计算机映射到任何kerberos领域。但是,实际上,DNS名称为web.foo.com的计算机位于FOO.COM领域。
To find the KDC for a realm, you can generally do dns querys for these SRV records.
要查找领域的KDC,通常可以为这些SRV记录执行dns查询。
dig -t SRV _kerberos._udp.foo.com
AD supports this.
AD支持此功能。
#1
1
In theory, you can map any machine in an DNS domain to any kerberos realm by getting every machine involved to use the same krb5.conf file. However, in practice the machine with DNS name web.foo.com is in the realm FOO.COM.
理论上,您可以通过让所涉及的每台计算机使用相同的krb5.conf文件,将DNS域中的任何计算机映射到任何kerberos领域。但是,实际上,DNS名称为web.foo.com的计算机位于FOO.COM领域。
To find the KDC for a realm, you can generally do dns querys for these SRV records.
要查找领域的KDC,通常可以为这些SRV记录执行dns查询。
dig -t SRV _kerberos._udp.foo.com
AD supports this.
AD支持此功能。