Re: [Condor-users] Kerberos realm mapping problem

[David McBride <dwm@xxxxxxxxxxxx>]

Liam Gretton wrote:

>> "Client not found in Kerberos database" -- this message indicates that 
>> the principal "host/host.dummy.com@xxxxxxxxx" doesn't exist in your KDC.
> 
> That's right - I'm trying to get it to map the domain dummy.com to the 
> realm REALM.COM, and host/host.dummy.com@xxxxxxxxx is a valid principal. 
> But it's the mapping I can't get to work.

Okay, I've only just noticed that REALM and dummy are, ignoring
letter-case, actually different words!  This makes a lot more sense than
it did before..

Can you get by without any kind of Condor-specific domain-to-Realm
mapping, and simply let the Kerberos libraries use the defaults in
/etc/krb5.conf?

Mine look something like this (edited for brevity):

# ---8<---

[libdefaults]
        default_realm = DOC.IC.AC.UK

	# [dwm] These used to be needed to ensure global compatibility;
	#	I think they're unnecessary now.
        default_tkt_enctypes = des-cbc-crc:normal des-cbc-crc
        default_tgs_enctypes = des-cbc-crc:normal des-cbc-crc

[realms]
	DOC.IC.AC.UK = {
		default_domain = doc.ic.ac.uk
		kdc = kerberos.doc.ic.ac.uk
		kdc = kerberos1.doc.ic.ac.uk
		kdc = kerberos2.doc.ic.ac.uk
		admin_server = kerberos.doc.ic.ac.uk
	}

[domain_realm]
	.doc.ic.ac.uk = DOC.IC.AC.UK
	doc.ic.ac.uk = DOC.IC.AC.UK

# ---8<---

You probably won't need the [realms] section to be populated -- as
you're using Active Directory, the AD servers will publish the
appropriate magic records in DNS and the Kerberos client libraries
should be able to automatically discover them.

But note at the bottom -- a list of domain to Realm mappings.  Do you
have these set up appropriately for your local setup?

Cheers,
David
-- 
David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London