Skip to content

Commit b6c1168

Browse files
steveloughransteveloughran
committed
copy in AD example from "Samson Scharfrichter"
1 parent d57a3f9 commit b6c1168

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

sections/terrors.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -155,3 +155,33 @@ Valid starting Expires Service principal
155155
Because this was a virtual cluster, DNS/RDNS probably wasn't working, presumably kerberos
156156
didn't know what realm the host was in, and things went downhill. It just didn't show in
157157
any validation operations, merely in the classic "no TGT" error.
158+
159+
## The AD realm redirection failure
160+
161+
Real-life example:
162+
163+
* Company ACME has one ActiveDirectory domain per continent.
164+
* Domains have mutual trust enabled.
165+
* AD is also used for Kerberos authentication.
166+
* Kerberos trust is handled by a few AD servers in the "root" domain.
167+
* Hadoop cluster is running in Europe.
168+
169+
When a South American user opens a SSH session on the edge node, authentication is done by LDAP, no issue
170+
the dirty work is done by the AD servers.
171+
But when a S.A. user tries to connect to HDFS or HiveServer2, with principal `[email protected]`,
172+
then the Kerberos client must make several hops...
173+
174+
1. AD server for @SAM.ACME.COM says "no, can't create ticket for svc/[email protected]"
175+
1. AD server for @SAM.ACME.COM says "OK, I can get you a credential to @ACME.COM, see what they can do there" alas,
176+
1. There's no AD server defined in conf file for @ACME.COM
177+
1. This leads to the all to familiar message, `Fail to create credential. (63) - No service creds`
178+
179+
Of course the only thing displayed in logs was the final error message.
180+
Even after enabling the "secret" debug flags, it was not clear what the client was trying to do
181+
with all these attempts.
182+
But the tell-tale was the "following capath" comment on each hop, because `CAPATH` is actually
183+
an optional section in `krb5.conf`. Fix: add the information about cross realm authentication
184+
to the `krb5.conf` file.
185+
186+
(CAPATH coverage: [MIT](http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html),
187+
[Redhat](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html)

0 commit comments

Comments
 (0)