Verify the Kerberos Configuration in Rigel

When using Kerberos authentication for backups, it is essential to verify the Kerberos configuration. To prevent authentication issues during backup, ensure that the DNS and Key Distribution Centers (KDCs) settings are correct.

To verify the Kerberos authentication for backups:

  1. Configure the DNS for Kerberos SRV records.

    • Access the DNS Management Console:

      • Depending on your DNS server (BIND, Windows DNS, etc), access the DNS management tool.

    • Create SRV records for Kerberos:

      • Add SRV records for the _kerberos._tcp service in the relevant zone (for example, EXAMPLE.COM).

        Example SRV Records:

        Service Protocol Name Priority Weight Port Target
        _kerberos _tcp _kerberos._tcp 0 100 88 kdc1.example.com
        _kerberos

        _tcp

        		 _kerberos._tcp 0 100 88 kdc2.example.com
        _kerberos

        _tcp

        		 _kerberos._tcp 1 50 88 kdc3.example.com

    • Ensure that the DNS server is properly configured to handle requests for the queried domain.

    • Ensure that the DNS server can resolve the domain names associated with the Kerberos service.

  2. Ensure proper propagation.

    Allow time for DNS changes to propagate, and ensure that the DNS server is functioning properly.

    • Run the nslookup command to retrieve Kerberos SRV records{}.

      • Use the following command to retrieve the Kerberos SRV records and validate the KDCs:

        nslookup -type=srv _kerberos._tcp.<domain>

        Replace <domain> with the appropriate domain for your environment (e.g. EXAMPLE.COM).

        Example: 

        nslookup -type=srv _kerberos._tcp.EXAMPLE.COM

    • Check SRV records for multiple KDCs.

      • The command should return a list of SRV records with details of the KDC servers, including priority, weight, port, and hostname.

        Example Output: 

        _kerberos._tcp.EXAMPLE.COM    SRV service location:
        priority = 0
        weight = 100
        port = 88
        svr hostname = kdc1.example.com
        _kerberos._tcp.EXAMPLE.COM    SRV service location:
        priority = 0
        weight = 100
        port = 88
        svr hostname = kdc2.example.com
        _kerberos._tcp.EXAMPLE.COM    SRV service location:
        priority = 1
        weight = 50
        port = 88
        svr hostname = kdc3.example.com

    • Verify KDC reachability.

      • Test if each KDC hostname is reachable via the network by using the ping command:

        ping <kdc-hostname>

        Example: 

        ping kdc1.example.com
        ping kdc2.example.com
        ping kdc3.example.com

      • If all KDCs are reachable, proceed with the backup. If any KDC is unreachable, resolve network or DNS issues before starting the backup. Even if one hostname fails, the backups will fail.

    • Check DNS resolution without SRV lookup.

      • As a sanity check, confirm that the DNS resolution for the domain is working by running a simple nslookup on the domain itself:

        nslookup <domain>

        Example: 

        nslookup QA01.ENG.COHE.COM

    • Firewall and Network configuration.

      • Ensure that the necessary DNS and Kerberos service ports are allowed through the firewall and accessible on the network:

        • DNS (UDP/TCP port 53)

        • Kerberos (UDP/TCP port 88)

    • Ensure firewalls allow traffic on UDP/TCP port 88 for Kerberos and port 53 for DNS.

    • For environments using dynamic DNS, set the appropriate permissions for updating DNS records.