Step 2.2
Configure Kerberos
This allows vRO to authenticate via Kerberos to a Windows VM.
Location | Notes |
---|---|
vRO server | Create krb5.conf for Kerberos Authentication to Windows VMs, if neededSet permission on krb5.conf to 0644 |
1. Copy and paste the block below into a text editor to replace all instances of EXAMPLE.COM
and example.com
to YOURDOMAIN.COM
and yourdomain.com
(case sensitive)
Single Domain krb5.conf
example
[libdefaults]
default_realm = EXAMPLE.COM
udp_preferences_limit = 1
[realms]
EXAMPLE.COM = {
kdc = example.com
default_domain = example.com
}
[domain_realm]
.example.com=EXAMPLE.COM
example.com=EXAMPLE.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
Multiple Domains krb5.conf
example
[libdefaults]
default_realm = EXAMPLE1.COM
udp_preferences_limit = 1
[realms]
EXAMPLE1.COM = {
kdc = example1.com
default_domain = example1.com
}
EXAMPLE2.COM = {
kdc = example2.com
default_domain = example2.com
}
[domain_realm]
.example1.com=EXAMPLE1.COM
example1.com=EXAMPLE1.COM
.example2.com=EXAMPLE2.COM
example2.com=EXAMPLE2.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
2. SSH as user root to the vRO server (e.g. SSH via PuTTy)
3. Make a backup copy of krb5.conf
file
cp /usr/java/jre-vmware/lib/security/krb5.conf /usr/java/jre-vmware/lib/security/krb5.conf.bak
4. Make the new krb5.conf.new
file
vi /usr/java/jre-vmware/lib/security/krb5.conf.new
5. Copy & paste the contents of your text editor into the new file
6. Press the esc
key on the keyboard
7. Type in :wq
and press the Enter
key to save the file
8. Copy krb5.conf.new
to krb5.conf
to overwrite the existing krb5.conf
file
cp /usr/java/jre-vmware/lib/security/krb5.conf.new /usr/java/jre-vmware/lib/security/krb5.conf
9. Ensure that the file has the appropriate permissions
chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf
10. Repeat if you have more than one vRO (or vRA if using embedded vRO)
Configuration Notes
- For the
[realms]
section, you may put a domain in thekdc =
line, or you may specify one or more specific domain controllers by FQDN. - If you configure the kdc as a Domain, a Domain Controller will be resolved from the domain automatically.
- For a lab or non-production environment, or for a very large network with DCs spanning multiple geographical locations, it might be beneficial to specify your kdcs as specific Domain Controllers. However, if you specify DCs by name, if you remove DCs or the names change, the configuration here would have to change. Please consider these factors in your decision.
Example of multiple kdcs as individual domain controllers:
[realms]
EXAMPLE.COM = {
kdc = domaincontroller01.example.com
kdc = domaincontroller02.example.com
kdc = domaincontroller03.example.com
default_domain = example.com
}