[35847] in Kerberos
multi-realm auth failing in DMZ, works for any specified default_realm
daemon@ATHENA.MIT.EDU (Jeremy Page)
Tue Mar 11 15:10:56 2014
Message-ID: <531F5FA9.5010002@gilbarco.com>
Date: Tue, 11 Mar 2014 15:10:33 -0400
From: Jeremy Page <jeremy.page@gilbarco.com>
MIME-Version: 1.0
To: <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============0166950447=="
Errors-To: kerberos-bounces@mit.edu
--===============0166950447==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms010606010303090601010306"
--------------ms010606010303090601010306
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I am trying to set up multi-realm authentication via SSH into an Ubuntu
box against a Windows 2008 AD forest with multiple AD domains/Kerberos
realms in it.
Inside our network this works as I would like, assuming users UIDs are
unique - usera@SITE.REALM.COM and userb@REALM.COM both can authenticate
(I am logging in with uid@server so not specifying a realm).
In our DMZ I can only log in via ssh if I am in the Kerberos realm
specified as the default_realm in krb5.conf.
kinit for NON default realms *works* as long as I specify the realm,
getent\ldapsearch pulls back the correct user information. No caching
(ccreds\nscd) is on the box. I can connect to the KDC's in question (as
long as I change the default realm I can log in with any user) so I
don't see anything being blocked but it seems like something must be.
I am not sure what the next step is to troubleshoot this issue, any
suggestions would be appreciated.
Using libpam-krb5 and libnss-ldap
[libdefaults]
default_realm =3D SITE.COMPANY.COM
udp_preference_limit =3D 1
krb4_config =3D /etc/krb.conf
krb4_realms =3D /etc/krb.realms
kdc_timesync =3D 1
ccache_type =3D 4
forwardable =3D true
proxiable =3D true
v4_instance_resolve =3D false
v4_name_convert =3D {
host =3D {
rcmd =3D host
ftp =3D ftp
}
plain =3D {
something =3D something-else
}
}
fcc-mit-ticketflags =3D true
[realms]
SITE.COMPANY.COM =3D {
kdc =3D site.company.com
admin_server =3D site.company.com
}
COMPANY.COM =3D {
kdc =3D company.com:88
admin_server =3D company.com
default_domain =3D company.com
}
[domain_realm]
.company.com =3D COMPANY.COM
company.com =3D COMPANY.COM
[logging]
default =3D SYSLOG:LOG_DEBUG
[login]
krb4_convert =3D true
krb4_get_tickets =3D false
Please be advised that this email may contain confidential =
information. If you are not the intended recipient, please notify us =
by email by replying to the sender and delete this message. The =
sender disclaims that the content of this email constitutes an offer =
to enter into, or the acceptance of, any agreement; provided that the =
foregoing does not invalidate the binding effect of any digital or =
other electronic reproduction of a manual signature that is included =
in any attachment.
--------------ms010606010303090601010306--
--===============0166950447==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0166950447==--
