[38601] in Kerberos
Re: SSH using Kerberos in 2 AD domains
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 19 00:03:41 2019
To: Bruno Monteiro <Bruno.Monteiro@sk.ibm.com>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c0d6f842-84b5-e36c-e0c1-164e20b765f8@mit.edu>
Date: Mon, 19 Aug 2019 00:03:22 -0400
MIME-Version: 1.0
In-Reply-To: <OF3E974915.016FDD0D-ON0025845A.0027A2F3-0025845A.0027AAFC@notes.na.collabserv.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The text of this message seems to have been eaten by the mailing list
software (perhaps it was sent as an attachment?); I have it from the
moderation queue.
For historical reasons, auth_to_local rules are read from the default
realm, not the realm of the principal being authorized. So you need to
put all of the auth_to_local rules in the same subsection, and use rules
like this (from
https://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html):
auth_to_local = RULE:[1:$1@$0](.*@DFDP\.COM)s/@DFDP\.COM$//
>
> Hi,
>
> I'm trying to SSH using Kerberos tickets in Linux Machines joined to both domains (2 diff Domains in MS AD).
>
> Both domains work independently if I change the entry default_realm = AD.YARA.COM to default_realm = DFDP.COM
>
> Then ssh works with DFDP.COM
>
> if I change the default_realm = DFDP.COM to default_realm = AD.YARA.COM
>
> Then ssh works with AD.YARA.COM
>
>
> Here my config:
>
> cat /etc/krb5.conf
> [libdefaults]
> ignore_acceptor_hostname = true
> k5login_authoritative = false
> dns_canonicalize_hostname = false
> canonicalize = true
> allow_weak_crypto = true
> dns_lookup_realm = true
> dns_lookup_kdc = true
> dns_fallback = yes
>
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_realm = AD.YARA.COM
> #default_realm = DFDP.COM
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> kdc_timesync = 1
> ccache_type = 4
>
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
>
> [realms]
> DFDP.COM = {
> auth_to_local = RULE:[1:$1@$0](^.*@DFDP.COM$)
> auth_to_local = RULE:[2:$1@$0](^.*/.*@DFDP.COM$)
> user_realm = DFDP.COM
> default_domain = DFDP.COM
> }
> AD.YARA.COM = {
> default_domain = AD.YARA.COM
> admin_server = sr31022.ad.yara.com
> auth_to_local = RULE:[1:$1@$0](^.*@AD.YARA.COM$)
> auth_to_local = RULE:[2:$1@$0](^.*/.*@AD.YARA.COM$)
> user_realm = AD.YARA.COM
> }
>
> [domain_realm]
> .dfdp.com = DFDP.COM
> dfdp.com = DFDP.COM
> .ad.yara.com = AD.YARA.COM
> ad.yara.com = AD.YARA.COM
>
>
> We cannot have the config that works with BOTH domains at the same time without need to change the default_realm in [libdefaults] ?
>
> Or such it is not supported ?
>
> Regards,
> Bruno
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
