Multiple Realms - Filtering or pass-through ?

Dallin Young dallin.young at gmail.com
Mon Jun 2 19:41:02 EDT 2014


Hi All, 

I'm having a lot of issues in regards to using two realms in CentOS 6.5. 

Here is the information: 

Active Directory (realm: USER.COMPANY.COM <http://user.company.com/> ) 
Kerberos 5 KDC   (realm: SERVICE.COMPANY.COM <http://service.company.com/> )


All my USERS are in USER.COMPANY.COM <http://user.company.com/>  and
SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM
<http://service.company.com/>  
I need to be able to have the users and services kinit without the Fully
Qualified Realm (FQR) 

Example: 
root $ su - postgres 
postgres $ kinit 
Password for postgres at SERVICE.COMPANY.COM
<mailto:postgres at SERVICE.COMPANY.COM> : 

root $ su - someuser 
someuser $ kinit 
Password for postgres at USER.COMPANY.COM <mailto:postgres at USER.COMPANY.COM> : 

Reality: 
root $ su - postgres 
postgres $ kinit 
kinit: Client 'postgres at USER.COMPANY.COM <mailto:postgres at USER.COMPANY.COM>
' not found in Kerberos database while getting initial credentials 

I would like it to fall to the next Realm if the first does not have records
of the credentials. 

I have been able to do this for shell logins using SSSD, since I have rules
in place that will check an ldap flag for users vs. services. However kinit
doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu,
etc). 

Please let me know if you have any suggestions on how this can be
accomplished. 
Thanks in advance! 

/etc/krb5.conf 

[logging] 
 default      = FILE:/var/log/krb5libs.log 
 kdc          = FILE:/var/log/krb5kdc.log 
 admin_server = FILE:/var/log/kadmind.log 

[libdefaults] 
 default_realm        = USER.COMPANY.COM <http://user.company.com/>  
 dns_lookup_realm     = True 
 dns_lookup_kdc       = True 
 ticket_lifetime      = 24h 
 renew_lifetime       = 7d 
 forwardable          = True 
 verify_ap_req_nofail = True 
 udp_preference_limit = 1 
 debug                = True 

[realms] 
 SERVICE.COMPANY.COM <http://service.company.com/>  = { 
 } 
 USER.COMPANY.COM <http://user.company.com/>  = { 
 } 

[domain_realm] 
 .service.company.com <http://service.company.com/>   = SERVICE.COMPANY.COM
<http://service.company.com/>  
  service.company.com <http://service.company.com/>   = SERVICE.COMPANY.COM
<http://service.company.com/>  
 .user.company.com <http://user.company.com/>  = USER.COMPANY.COM
<http://user.company.com/>  
  user.company.com <http://user.company.com/>  = USER.COMPANY.COM
<http://user.company.com/>  
  
[appdefaults] 
 autologin            = True 
 forward              = True 
 encrypt              = True 
 pam = { 
   debug           = True 
   ticket_lifetime = 24h 
   renew_lifetime  = 7d 
   forwardable     = True 
   krb4_convert    = False 
 } 

[capaths] 
  SERVICE.COMPANY.COM <http://service.company.com/>  = { 
    USER.COMPANY.COM <http://user.company.com/>  = . 
  } 
  USER.COMPANY.COM <http://user.company.com/>  = { 
    SERVICE.COMPANY.COM <http://service.company.com/>  = . 
  }



More information about the Kerberos mailing list