3.4. Kerberos#
Nubus for UCS uses Kerberos to authenticate users and services across your domain. This section covers how Kerberos works, how you configure the realm, and how Nubus for UCS implements it.
3.4.1. How Kerberos works#
The Key Distribution Center (KDC) is the central trust authority in a Kerberos network. When you sign in, the KDC issues a ticket that grants access to other services inside the Kerberos realm.
Tickets are valid for 8 hours by default.
Important
All systems in the Kerberos realm must have synchronized clocks. Clock skew causes authentication failures.
3.4.2. Kerberos realm#
The Kerberos realm name derives from your domain name.
The installer stores it in the UCR variable kerberos/realm.
Warning
You can’t change the Kerberos realm name after installation. Choose your realm name carefully.
3.4.3. Kerberos implementation in Nubus for UCS#
Nubus for UCS uses the Heimdal Kerberos implementation. On UCS directory nodes without Samba/AD, Heimdal runs as a standalone service. On Samba/AD domain controllers, Samba provides Kerberos through its built-in Heimdal version.
Both UCS directory nodes and Samba/AD domain controllers access the same Kerberos data. The Univention S4 connector synchronizes between Samba/AD and OpenLDAP. For more information, see Univention S4 connector.
3.4.4. KDC selection#
By default,
DNS service records determine which KDC your system uses.
To override the KDC for a specific system,
set the UCR variable kerberos/kdc.
When you install Samba/AD on any domain member, the DNS service record changes to advertise only the Samba/AD KDCs. In a mixed environment, use only the Samba/AD KDCs.
3.4.5. Kerberos administration server#
The Kerberos administration server runs on the Primary Directory Node. It manages administrative settings for the domain. Because Nubus for UCS reads most settings directly from the LDAP directory, the server primarily manages passwords.
Use kpasswd to change passwords. This tool also updates the password in LDAP.
To configure the administration server,
set the UCR variable kerberos/adminserver.