Multiple Realms - Filtering or pass-through ?
Dallin Young
dallin.young at gmail.com
Mon Jun 2 19:41:02 EDT 2014
Hi All,
I'm having a lot of issues in regards to using two realms in CentOS 6.5.
Here is the information:
Active Directory (realm: USER.COMPANY.COM <http://user.company.com/> )
Kerberos 5 KDC (realm: SERVICE.COMPANY.COM <http://service.company.com/> )
All my USERS are in USER.COMPANY.COM <http://user.company.com/> and
SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM
<http://service.company.com/>
I need to be able to have the users and services kinit without the Fully
Qualified Realm (FQR)
Example:
root $ su - postgres
postgres $ kinit
Password for postgres at SERVICE.COMPANY.COM
<mailto:postgres at SERVICE.COMPANY.COM> :
root $ su - someuser
someuser $ kinit
Password for postgres at USER.COMPANY.COM <mailto:postgres at USER.COMPANY.COM> :
Reality:
root $ su - postgres
postgres $ kinit
kinit: Client 'postgres at USER.COMPANY.COM <mailto:postgres at USER.COMPANY.COM>
' not found in Kerberos database while getting initial credentials
I would like it to fall to the next Realm if the first does not have records
of the credentials.
I have been able to do this for shell logins using SSSD, since I have rules
in place that will check an ldap flag for users vs. services. However kinit
doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu,
etc).
Please let me know if you have any suggestions on how this can be
accomplished.
Thanks in advance!
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = USER.COMPANY.COM <http://user.company.com/>
dns_lookup_realm = True
dns_lookup_kdc = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
verify_ap_req_nofail = True
udp_preference_limit = 1
debug = True
[realms]
SERVICE.COMPANY.COM <http://service.company.com/> = {
}
USER.COMPANY.COM <http://user.company.com/> = {
}
[domain_realm]
.service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM
<http://service.company.com/>
service.company.com <http://service.company.com/> = SERVICE.COMPANY.COM
<http://service.company.com/>
.user.company.com <http://user.company.com/> = USER.COMPANY.COM
<http://user.company.com/>
user.company.com <http://user.company.com/> = USER.COMPANY.COM
<http://user.company.com/>
[appdefaults]
autologin = True
forward = True
encrypt = True
pam = {
debug = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
krb4_convert = False
}
[capaths]
SERVICE.COMPANY.COM <http://service.company.com/> = {
USER.COMPANY.COM <http://user.company.com/> = .
}
USER.COMPANY.COM <http://user.company.com/> = {
SERVICE.COMPANY.COM <http://service.company.com/> = .
}
More information about the Kerberos
mailing list