kerberos config single kdc with multiple domains

Question

we are trying to config a single kerberos server with multiple domains (its a requisite) , so I ended up creating 2 databases like that and some principals in each database (verything is fine, I can log into both database and see the diferent principals ) :

kdc.conf

[realms]
EXAMPLE1.COM =
{database_module=EXAMPLE1.COM
...}
EXAMPLE2.COM =
{database_module=EXAMPLE2.COM
...}

[dbmodules]
EXAMPLE1.COM=
{database_name=/var/kerberos/krb5kdc/principal
...}
EXAMPLE2.COM =
{database_name=/var/kerberos/krb5kdc/principal2
...}

The krb5.conf looks like that :

[realms]
EXAMPLE1.COM=
{ kdc= server.example1.com
admin_server = server.example1.com
default_domain = example1.com
...}
EXAMPLE2.COM =
{kdc= server.example2.com:61321
admin_server = server.example2.com:61321
default_domain = example2.com
...}

[domain_realm]
.example1.com = EXAMPLE1.COM
example1.com = EXAMPLE1.COM
.example2.com = EXAMPLE2.COM
example2.com = EXAMPLE2.COM

Now the problem is that kerberos seems to not accept the kdc with different realms for example2 (but it works for example1) :

kinit -V -t /tmp/krb5.example2.keytab user/example2@EXAMPLE2.com
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: user/example2@EXAMPLE2.com
Using keytab: /tmp/krb5.example2.keytab
kinit: Cannot contact any KDC for realm 'EXAMPLE2.com' while getting initial credentials

After the modifications suggested grawity by I edited the service file with systemctl edit --full krb5kdc.service and placed at the end -r EXAMPLE1 -r EXAMPLE2 and now it seems to work better but Im still getting an error I cannot understand (not sure if I should add diferent ports or what is happening) :

kinit -V -t /tmp/krb5.example2.keytab user/example2@EXAMPLE2.COM
keytab specified, forcing -k
Using default cache: /tmp/krb5cc_0
Using principal: user/example2@EXAMPLE2.COM
Using keytab: /tmp/krb5.example2.keytab
[355090] 1573732431.376189: Getting initial credentials for user/example2@EXAMPLE2.COM
[355090] 1573732431.376190: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-hmac-sha1, des, des-cbc-crc
[355090] 1573732431.376192: Sending unauthenticated request
[355090] 1573732431.376193: Sending request (201 bytes) to CPD4PRE.NEO4J.GENCAT.CAT
[355090] 1573732431.376194: Resolving hostname host.example2.com
[355090] 1573732431.376195: Initiating TCP connection to stream 10.53.48.79:88
[355090] 1573732431.376196: Sending TCP request to stream 10.53.48.79:88
[355090] 1573732431.376197: Received answer (218 bytes) from stream 10.53.48.79:88
[355090] 1573732431.376198: Terminating TCP connection to stream 10.53.48.79:88
[355090] 1573732431.376199: Response was not from master KDC
[355090] 1573732431.376200: Received error from KDC: -1765328370/KDC has no support for encryption type
[355090] 1573732431.376201: Getting initial credentials for user/example2@EXAMPLE2.COM
[355090] 1573732431.376202: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-hmac-sha1, des, des-cbc-crc
[355090] 1573732431.376204: Sending unauthenticated request
[355090] 1573732431.376205: Sending request (201 bytes) to EXAMPLE2.COM (master)
kinit: KDC has no support for encryption type while getting initial credentials

Actually I didnt read the thing about it was needed diferent ports, so I have modified it in order to use 61321 but its not pushing up any socket on that port, its just pushing the default port 88 which Im asuming is for the first (and default) realm : {kdc= server.example2.com:61321 admin_server = server.example2.com:61321

root@example1.com:/root# netstat -netapl | grep LISTEN | grep krb tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 0 9326395 362136/krb5kdc tcp6 0 0 :::88 :::* LISTEN 0 9326396 362136/krb5kdc root@example1.com:/root# ps -ef | grep -i krb root 362136 1 0 13:04 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -r EXAMPLE1.COM -r EXAMPLE2.COM root 363981 331025 0 13:08 pts/0 00:00:00 grep --color=auto -i krb

Answer 1

First, your [realms] database_module configuration does not match the [dbmodules] configuration. You have database_module=EXAMPLE1 but the actual module section is called EXAMPLE1.com.

(The configuration layout/syntax also seems really wonky. I hope that's just an artifact of copy&pasting it, and not the actual way it looks?)

---

Second, in MIT Kerberos, the KDC process (krb5-kdc) must be started with a -r parameter for each realm. If not specified, it will simply use the system-wide default_realm – it will not enumerate all configured databases.

Edit the systemd krb5-kdc.service, or the init.d script, to run:

krb5kdc -r EXAMPLE1.COM -r EXAMPLE2.COM

Unfortunately, the same cannot be achieved with MIT Kerberos' kadmind in the current versions – it only supports one database per instance. You can run multiple kadmind instances (on different TCP ports), or use kadmin.local for management.

---

Finally, your kinit doesn't actually show whether it's contacting the correct KDC in the first place. (And you didn't include any KDC logs indicating that, either.)

You can make the Kerberos clients more verbose by exporting KRB5_TRACE=/dev/stderr.

---

Also note that traditionally realm names are fully uppercase, the TLD included. So although EXAMPLE1.com is perfectly valid, it's not quite what the software expects by default. For example, if you didn't have a [domain_realm] section, clients would try to automatically map the domain to a fully-uppercase realm, not to the mixed version you currently have.