[36167] in Kerberos
Multiple Realms - Filtering or pass-through ?
daemon@ATHENA.MIT.EDU (Dallin Young)
Mon Jun 2 19:41:37 2014
From: "Dallin Young" <dallin.young@gmail.com>
To: <kerberos@mit.edu>
Date: Mon, 2 Jun 2014 19:41:02 -0400
Message-ID: <000301cf7ebc$1e465170$5ad2f450$@gmail.com>
MIME-Version: 1.0
Content-Language: en-us
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All,
I'm having a lot of issues in regards to using two realms in CentOS 6.5.
Here is the information:
Active Directory (realm: USER.COMPANY.COM <http://user.company.com/> )
Kerberos 5 KDC (realm: SERVICE.COMPANY.COM <http://service.company.com/> )
All my USERS are in USER.COMPANY.COM <http://user.company.com/> and
SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM
<http://service.company.com/>
I need to be able to have the users and services kinit without the Fully
Qualified Realm (FQR)
Example:
root $ su - postgres
postgres $ kinit
Password for postgres@SERVICE.COMPANY.COM
<mailto:postgres@SERVICE.COMPANY.COM> :
root $ su - someuser
someuser $ kinit
Password for postgres@USER.COMPANY.COM <mailto:postgres@USER.COMPANY.COM> :
Reality:
root $ su - postgres
postgres $ kinit
kinit: Client 'postgres@USER.COMPANY.COM <mailto:postgres@USER.COMPANY.COM>
' not found in Kerberos database while getting initial credentials
I would like it to fall to the next Realm if the first does not have records
of the credentials.
I have been able to do this for shell logins using SSSD, since I have rules
in place that will check an ldap flag for users vs. services. However kinit
doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu,
etc).
Please let me know if you have any suggestions on how this can be
accomplished.
Thanks in advance!
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = USER.COMPANY.COM <http://user.company.com/>
dns_lookup_realm = True
dns_lookup_kdc = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
verify_ap_req_nofail = True
udp_preference_limit = 1
debug = True
[realms]
SERVICE.COMPANY.COM <http://service.company.com/> = {
}
USER.COMPANY.COM <http://user.company.com/> = {
}
[domain_realm]
.service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM
<http://service.company.com/>
service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM
<http://service.company.com/>
.user.company.com <http://user.company.com/> = USER.COMPANY.COM
<http://user.company.com/>
user.company.com <http://user.company.com/> = USER.COMPANY.COM
<http://user.company.com/>
[appdefaults]
autologin = True
forward = True
encrypt = True
pam = {
debug = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
krb4_convert = False
}
[capaths]
SERVICE.COMPANY.COM <http://service.company.com/> = {
USER.COMPANY.COM <http://user.company.com/> = .
}
USER.COMPANY.COM <http://user.company.com/> = {
SERVICE.COMPANY.COM <http://service.company.com/> = .
}
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
