Cross realm authentication failing for older versions of Ubuntu

Jeremy Page jeremy.page at gilbarco.com
Thu Sep 6 13:16:50 EDT 2012 

I have a config that is working on Ubuntu 10.04 and above but failing on
8.04. Any suggestions would be appreciated!

The problem is that I cannot SSH into the 8.04 machines unless I am
using an account in the same realm as the DNS suffix of the system. I am
using Windows Active Directory as both my LDAP and Kerberos server. LDAP
is using RFC2307 attributes & doing it's queries against the Global
Catalog ports so it can resolve users in all the AD domains. krb5.conf
is using the defaults - we have SRV records (the ones created by AD)
which appear to be adequate. I have no keytab defined.

So for host.eng.company.com I can login (with just the UID) if I am
user1 at ENG.COMPANY.COM but user2 at COMPANY.COM or user3 at SALES.COMPANY.COM.

kinit works fine. getent/id works fine. On newer Ubuntu versions it
works as well.

For this user I cannot login interactively or SSH (host is in
"gso.company.com):
root at gsovm-psbs03:~# getent passwd testdude
testdude:*:60222:5002113:testdude testdude:/home/testdude:/bin/bash
root at gsovm-psbs03:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testdude at COMPANY.COM

Valid starting     Expires            Service principal
09/06/12 12:58:28  09/06/12 22:58:30  krbtgt/COMPANY.COM at COMPANY.COM
    renew until 09/07/12 12:58:28


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

But for this user it works (user and machine in same DNS/Kerberos realm):
13:13:43:eng-test-admin at gsovm-psbs03>klist
Ticket cache: FILE:/tmp/krb5cc_50076
Default principal: eng-test-admin at GSO.COMPANY.COM

Valid starting     Expires            Service principal
09/06/12 13:13:42  09/06/12 23:13:42  krbtgt/GSO.COMPANY.COM at GSO.COMPANY.COM
    renew until 09/07/12 13:13:42


Kerberos 4 ticket cache: /tmp/tkt50076
klist: You have no tickets cached




Please be advised that this email may contain confidential 
information.  If you are not the intended recipient, please notify us 
by email by replying to the sender and delete this message.  The 
sender disclaims that the content of this email constitutes an offer 
to enter into, or the acceptance of, any agreement; provided that the 
foregoing does not invalidate the binding effect of any digital or 
other electronic reproduction of a manual signature that is included 
in any attachment.

More information about the Kerberos mailing list