× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

Exclude certain entries in krb5.conf from being added automatically

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 15
Registered: ‎07-08-2015
#1 of 2 165
Accepted Solution

Exclude certain entries in krb5.conf from being added automatically

Dear community,

 

We use the centrify agent feature to automatically create and manage /etc/krb5.conf. This is working beautifully.

However, we have a "heritage"  in our AD infrastructure, that leads to an auto-discovered entry in the [domain_realm] part of the config file, which we would like to exclude from /etc/krb5.conf.

 

The automatic discovery enters a mapping entry (among many others) like:

prod.company.com = company.com

This entry is preventing ssh connections from serverA.prod.company.com to serverB.eng.company.com

Reason is, that serverB.eng.company.com will not be found , since prod.company.com is claiming to be the top-domain for company.com (that's at least my understanding).

 

If I delete this single line, everything is working perfectly. Now, I could deactivate the automatic management of /ect/krb5.conf, but I'd rather exclude this single line and keep the auto-management, if possible... Is there a way to achieve this?

 

Just to make it clear: Centrify is doing the right thing to add this entry and it is solely due to our historic misconfiguration, that this is happening. However, doing the right thing and "cleaning up the mess" will be expensive :-(

 

Thanks a lot for any helpful ideas.

Kind regards Jens

 

Centrify Guru I
Posts: 1,698
Registered: ‎07-26-2012
#2 of 2 163

Re: Exclude certain entries in krb5.conf from being added automatically

@jrehn70988,

 

Welcome back to the community.

 

Like @Fel stated in this post:

http://community.centrify.com/t5/Centrify-Express/Protect-etc-krb5-conf-from-being-automatically-edi...

 

"You can tell Centrify to not automatically update your krb5.conf by changing the following configuration paramter in /etc/centrifydc/centrifydc.conf (or using the corresponding GPO):

 

adclient.krb5.autoedit: false

Make sure you uncomment and set the attribute to false.

 

Once finished, save the file and run "adreload".  Restart the Centrify service "/usr/share/centrifydc/bin/centrifydc restart" to confirm this works for you."

 

The parameter documentation is here:

https://docs.centrify.com/en/css/suite2017-html/index.html#page/Configuration_and_tuning_reference/a...

 

Please understand that once you turn this off, it's up to you to maintain the Kerberos configurations (eg. add/moves/changes of Domain Controllers), encryption levels (e.g. when functional modes are updated), etc.

 

Alternatively, if your issue is with a particular domain controller(s), you could use the dns.block parameter (or corresponding GPO)

 

https://docs.centrify.com/en/css/suite2017-html/index.html#page/Configuration_and_tuning_reference%2...

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: