multi-realm auth failing in DMZ, works for any specified default_realm
Benjamin Kaduk
kaduk at MIT.EDU
Wed Mar 12 00:12:28 EDT 2014
On Tue, 11 Mar 2014, Jeremy Page wrote:
> I am trying to set up multi-realm authentication via SSH into an Ubuntu
> box against a Windows 2008 AD forest with multiple AD domains/Kerberos
> realms in it.
>
> Inside our network this works as I would like, assuming users UIDs are
> unique - usera at SITE.REALM.COM and userb at REALM.COM both can authenticate
> (I am logging in with uid at server so not specifying a realm).
>
> In our DMZ I can only log in via ssh if I am in the Kerberos realm
> specified as the default_realm in krb5.conf.
> kinit for NON default realms *works* as long as I specify the realm,
> getent\ldapsearch pulls back the correct user information. No caching
> (ccreds\nscd) is on the box. I can connect to the KDC's in question (as
> long as I change the default realm I can log in with any user) so I
> don't see anything being blocked but it seems like something must be.
>
> I am not sure what the next step is to troubleshoot this issue, any
> suggestions would be appreciated.
I am not sure that I correctly understand the problem, particularly the
bits with ssh, but the kinit part is probably easier to debug.
I assume that the kinit is happening on the Ubuntu box. What version of
Ubuntu (in particular, what version of the krb5-user package) is in use?
One possibility is that DNS lookups which are being used to determine a
realm or the location of KDCs for a realm are failing in the DMZ. You may
gain some insight into what operations are being attempted by running
a command like:
PERFLUENCE-PRIME:~ kaduk$ KRB5_TRACE=/dev/stdout ~/dest/bin/kinit kaduk at CSAIL.MIT.EDU
(my default realm is ATHENA.MIT.EDU), which prints output like this:
[55550] 1394594166.72935: Getting initial credentials for
kaduk at CSAIL.MIT.EDU
[55550] 1394594166.74345: Sending request (169 bytes) to CSAIL.MIT.EDU
[55550] 1394594166.109650: Resolving hostname alsatian.csail.mit.edu.
[55550] 1394594166.142357: Sending initial UDP request to dgram
128.30.2.172:88
[55550] 1394594166.162827: Received answer (176 bytes) from dgram
128.30.2.172:8
-Ben Kaduk
More information about the Kerberos
mailing list