Step 2.2

Configure Kerberos

This allows vRO to authenticate via Kerberos to a Windows VM.

This is typically only needed if using the Ansible Tower, Puppet Enteprise or Puppet Open Source SovLabs vRA Extensibility modules
Location Notes
vRO server Create krb5.conf for Kerberos Authentication to Windows VMs, if needed

Set permission on krb5.conf to 0644

1. Copy and paste the block below into a text editor to replace all instances of EXAMPLE.COM and example.com to YOURDOMAIN.COM and yourdomain.com (case sensitive)

Single Domain krb5.conf example

[libdefaults]
  default_realm = EXAMPLE.COM
  udp_preferences_limit = 1 
[realms] 
  EXAMPLE.COM = {
    kdc = example.com
    default_domain = example.com
  }
[domain_realm] 
  .example.com=EXAMPLE.COM
  example.com=EXAMPLE.COM
[logging] 
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON

Multiple Domains krb5.conf example

[libdefaults]
  default_realm = EXAMPLE1.COM
  udp_preferences_limit = 1 
[realms] 
  EXAMPLE1.COM = {
    kdc = example1.com
    default_domain = example1.com
  }
  EXAMPLE2.COM = {
    kdc = example2.com
    default_domain = example2.com
  }
[domain_realm] 
  .example1.com=EXAMPLE1.COM
  example1.com=EXAMPLE1.COM
  .example2.com=EXAMPLE2.COM
  example2.com=EXAMPLE2.COM
[logging] 
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON 

2. SSH as user root to the vRO server (e.g. SSH via PuTTy)

3. Make a backup copy of krb5.conf file

cp /usr/java/jre-vmware/lib/security/krb5.conf /usr/java/jre-vmware/lib/security/krb5.conf.bak

4. Make the new krb5.conf.new file

vi /usr/java/jre-vmware/lib/security/krb5.conf.new

5. Copy & paste the contents of your text editor into the new file

6. Press the esc key on the keyboard

7. Type in :wq and press the Enter key to save the file

8. Copy krb5.conf.new to krb5.conf to overwrite the existing krb5.conf file

cp /usr/java/jre-vmware/lib/security/krb5.conf.new /usr/java/jre-vmware/lib/security/krb5.conf

9. Ensure that the file has the appropriate permissions

chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

10. Repeat if you have more than one vRO (or vRA if using embedded vRO)


Configuration Notes

  • For the [realms] section, you may put a domain in the kdc = line, or you may specify one or more specific domain controllers by FQDN.
  • If you configure the kdc as a Domain, a Domain Controller will be resolved from the domain automatically.
  • For a lab or non-production environment, or for a very large network with DCs spanning multiple geographical locations, it might be beneficial to specify your kdcs as specific Domain Controllers. However, if you specify DCs by name, if you remove DCs or the names change, the configuration here would have to change. Please consider these factors in your decision.

Example of multiple kdcs as individual domain controllers:

[realms]
  EXAMPLE.COM = {
   kdc = domaincontroller01.example.com
   kdc = domaincontroller02.example.com
   kdc = domaincontroller03.example.com
   default_domain = example.com
  }