Exclude certain entries in krb5.conf from being added automatically
04-13-2017 04:42 AM
We use the centrify agent feature to automatically create and manage /etc/krb5.conf. This is working beautifully.
However, we have a "heritage" in our AD infrastructure, that leads to an auto-discovered entry in the [domain_realm] part of the config file, which we would like to exclude from /etc/krb5.conf.
The automatic discovery enters a mapping entry (among many others) like:
prod.company.com = company.com
This entry is preventing ssh connections from serverA.prod.company.com to serverB.eng.company.com
Reason is, that serverB.eng.company.com will not be found , since prod.company.com is claiming to be the top-domain for company.com (that's at least my understanding).
If I delete this single line, everything is working perfectly. Now, I could deactivate the automatic management of /ect/krb5.conf, but I'd rather exclude this single line and keep the auto-management, if possible... Is there a way to achieve this?
Just to make it clear: Centrify is doing the right thing to add this entry and it is solely due to our historic misconfiguration, that this is happening. However, doing the right thing and "cleaning up the mess" will be expensive :-(
Thanks a lot for any helpful ideas.
Kind regards Jens
Solved! Go to Solution.
04-13-2017 05:33 AM
Welcome back to the community.
Like @Fel stated in this post:
"You can tell Centrify to not automatically update your krb5.conf by changing the following configuration paramter in /etc/centrifydc/centrifydc.conf (or using the corresponding GPO):
Make sure you uncomment and set the attribute to false.
Once finished, save the file and run "adreload". Restart the Centrify service "/usr/share/centrifydc/bin/centrifydc restart" to confirm this works for you."
The parameter documentation is here:
Please understand that once you turn this off, it's up to you to maintain the Kerberos configurations (eg. add/moves/changes of Domain Controllers), encryption levels (e.g. when functional modes are updated), etc.
Alternatively, if your issue is with a particular domain controller(s), you could use the dns.block parameter (or corresponding GPO)