What is a Kerberos realm?
A Kerberos realm is the domain over which a Kerberos authentication server has the authority a user, host authentication or service. An area name is often, but not always, the upper case version of the name of the DNS domain over which he presides.
Why Realms Matter on the Linux VDA
It is important that the Kerberos on the Linux VDA was that the Citrix Broker Agent service can determine the Kerberos realm, complete with a qualified host name is assigned, so appropriately configured. When the configuration is either incorrect or incomplete, it is very likely that the Linux VDA will not be able, with the Delivery Controller (DDC) to register, and ultimately prevent sessions on the VDA are launched. In the event of registry failure, it may be:
- Reported in syslog on Linux VDA with a message along the lines of "The Citrix Desktop Service failed to register controller in every delivery." be categorized [
- by a registration error message from the Application log in DDC "Broker Citrix Service" Reported
- shown in Citrix studio where the registration status of the Linux VDA as "Unregistered" will
Note that the Kerberos realm misconfiguration only one of many reasons that makes a Linux VDA fail to register with a DDC. Some of these reasons will be discussed in a separate blog.
How Kerberos realm mappings specify
These assignments are either statically configured in /etc/krb5.conf on each VDA machine, or from version 1.1, can a DNS TXT records are queried
of Linux VDA tried the Kerberos realm associated with a fully qualified host name from the following sources in the following order to determine .:
- domain Realm assignments within the [domain_realm] of krb5.conf file.
- DNS TXT records when the dns_lookup_realm in [libdefaults] of krb5.conf file set to true. Note that a value of true is any of y yes true t to be 1 [1945010und] to , and wrong one of n No false nil 0 and off . The DNS TXT record name is generated by prefixing "_kerberos" to the fully qualified host name. If this record is not found, the name is formed by prefixing "_kerberos" to host the domain name, then the parent domain, to the top-level domain. For example, for the host name "ddc1.central.mycorp.net" the name of the DNS TXT records that would be seen would be:
- _kerberos.ddc1.central.mycorp.net
- _kerberos.central.mycorp.net
- _kerberos.mycorp.net
- _kerberos.net
- , the value of default_realm Article krb5.conf inside of [libdefaults] of file provided that the domain of the fully qualified host name the same as the domain of the machine on which the krb5.conf file.
- , the upper case version of the Fully Qualified Domain hostname.
Here is an excerpt from an example krb5. conf , where dns_lookup_realm is incorrect and the machine on which the krk5.conf file is located workers.acme.net in the domain.
[libdefaults] default_ccache_name = FILE: / tmp / krb5cc _% {uid} default_realm = SERVERS.ACME.NET dns_lookup_realm = false [domain_realm] workers.mycorp.net = wORKERS.MYCORP.NET .workers.mycorp .net = wORKERS.MYCORP.NET Central .mycorp.net = CENTRAL.MYCORP.NET .central.mycorp.net = CENTRAL.MYCORP.NET in the above example would the following domain realm mappings from Linux VDA be determined. The third column in the table shows the reason for the assignment:
| domain | Realm | reason |
| workers.mycorp.net | wORKERS.MYCORP.NET | krb5.conf domain_realm |
| vda1.workers.mycorp.net | WORKERS.MYCORP.NET | krb5.conf domain_realm |
| central.mycorp.net | CENTRAL.MYCORP.NET | krb5.conf domain_realm |
| ddc1.central.mycorp .net | CENTRAL.MYCORP.NET | krb5.conf domain_realm |
| vda2.workers.acme.net | SERVERS.ACME.NET | krb5.conf default_realm |
| ddc2.central.acme.net | CENTRAL.ACME.NET | upper case domain name |
Consider the same detail of a krb5.conf file, but this time with a dns_lookup_realm true value and the following DNS TXT records:
| name | text |
| _kerberos.workers.acme.net | WORKERS.ACME.NET |
| _kerberos.central.acme.net | CENTRAL.ACME.NET |
The resulting domain realm mappings would be:
| domain | Realm | reason |
| workers.mycorp.net | WORKERS.MYCORP.NET | krb5.conf domain_realm |
| vda1.workers.mycorp.net | WORKERS.MYCORP.NET | krb5.conf domain_realm |
| central.mycorp.net | cENTRAL.MYCORP.NET | krb5. conf domain_realm |
| ddc1.central.mycorp.net | CENTRAL.MYCORP.NET | krb5.conf domain_realm |
| vda2.workers.acme.net | WORKERS.ACME.NET | DNS TXT record |
| DDC2 .central.acme.net | CENTRAL.ACME.NET | DNS TXT record |
Summary
If Kerberos domain Reich assignments are incomplete or incorrect on a Linux VDA it is very likely that it will be impossible to start meetings on the VDA. So it is important to get it right.
The assignments can be specified in a number of ways within the /etc/krb.conf file or DNS TXT records. But since the configuration of [domain_realm] mapping section within the krb5.conf on each VDA file can be distressing and may not scale well, uses DNS TXT records, may be a better his option.
more of the Linux Virtual Read Desktop Team, you should check all of our posts here.
0 Komentar