Add ability to configure more Kerberos options

jlforester · August 5, 2024, 3:15pm

Problem/Justification
I am switching to Kerberos for user auth in my lab. I have multiple domains that I support under a single Kerberos realm. I need the ability to add entries to the [domain_realm] section in the krb5.conf file. Manual changes to the file are not permanent.

Impact
Average users should see no impact from this feature as they will have no need to use it. Experienced users with advanced configuration requirements will benefit from the additional flexibility.

User Story
I see this feature being implemented as an additional input item on the Directory Services > Kerberos Settings screen with the Appdefaults Auxiliary Parameters and Libdefaults Auxiliary Parameters settings. Anything the user adds to the Domain_Realm Auxiliary Parameters would be added to the [Domain_Realm] section of /etc/krb5.conf.

william · August 5, 2024, 3:27pm

Can you elaborate on what exactly are these aux params?
We are trying to avoid such fields for newer features/improvements.

jlforester · August 5, 2024, 3:48pm

For the [domain_realm] section, each line contains a domain to Kerberos realm mapping in the form <domainname> = <realm name>. Defaults are already configured when setting up Kerberos on TrueNAS, but in my case, I had to add one line and restart the NFS service to make things work:

.prosight = LAB.LEAF

My lab is air gapped, so I’m using custom TLDs.