Updating the Kerberos Configuration parameters in UNAB
search cancel

Updating the Kerberos Configuration parameters in UNAB

book

Article ID: 378118

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

During operation of UNAB it is possible that the topology of Active Directory changes, so that the KDC parameters in the [realms] section of initiaization file uxauth.ini, e.g:

 

; ======= Kerberos configuration =====================================
[libdefaults]
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 2400
        default_realm = EXAMPLE.COM
        rdns = false

[domain_realm]

[realms]
EXAMPLE.COM = {
        master_kdc = <Machine name 1>.example.com
        kpasswd_server = <Machine name 1>.example.com
        kdc = <Machine name 1>.example.com
        kdc = <Machine name 2>.example.com

are no longer valid.

The question arises whether it is possible to dynamically update these values

Environment

UNAB all versions

Cause

The [realms] section of the uxauth.ini file gets set whenever the endpoint is registered to Active Directory and it is not updated automatically even if the topology of Active Directory changes.

Therefore this is not changed dynamically and it will remain as is until either the endpoint is re-registered or another procedure is applied.

Resolution

There are two things to consider:

  • Outdated information in the [realms] section of uxauth.ini, under the kerberos configuration does not necessarily prevent communication with the actual KDC in the domain. Kerberos and UNAB are smart enough to route to the correct KDC even is part of the information is outdated or simply commented out. This may result in some delay in Kerberos authentication, but wrong entries in that part of the file do not necessarily mean failure to operate

 

  • It is possible to update the configuration of this section of uxauth.ini by using command 

uxconsole -freeze

The result of running this command is that the uxauth.ini kerberos section is updated with a snapshot of the current AD configuration, and as such, the KDC presently serving requests is updated in the file. Please see

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-2/pam-server-control/PAM-SC-reference/utilities/uxconsole-utility-manage-unix-authentication-broker-endpoints.html

For some more information regarding the option

  • Kerberos configuration in the uxauth.ini file can as well be updated manually if the name or address of the kdc is known

Please note that UNAB is very sensitive to correct name resolution. If in doubt use:

uxconsole -krb -resolve

to make sure direct and reverse name resolution work properly and- if not- correct DNS or local hosts files

Powered by Wolken Software