SSH using Kerberos in 2 AD domains
Greg Hudson
ghudson at mit.edu
Mon Aug 19 00:03:22 EDT 2019
The text of this message seems to have been eaten by the mailing list
software (perhaps it was sent as an attachment?); I have it from the
moderation queue.
For historical reasons, auth_to_local rules are read from the default
realm, not the realm of the principal being authorized. So you need to
put all of the auth_to_local rules in the same subsection, and use rules
like this (from
https://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html):
auth_to_local = RULE:[1:$1@$0](.*@DFDP\.COM)s/@DFDP\.COM$//
>
> Hi,
>
> I'm trying to SSH using Kerberos tickets in Linux Machines joined to both domains (2 diff Domains in MS AD).
>
> Both domains work independently if I change the entry default_realm = AD.YARA.COM to default_realm = DFDP.COM
>
> Then ssh works with DFDP.COM
>
> if I change the default_realm = DFDP.COM to default_realm = AD.YARA.COM
>
> Then ssh works with AD.YARA.COM
>
>
> Here my config:
>
> cat /etc/krb5.conf
> [libdefaults]
> ignore_acceptor_hostname = true
> k5login_authoritative = false
> dns_canonicalize_hostname = false
> canonicalize = true
> allow_weak_crypto = true
> dns_lookup_realm = true
> dns_lookup_kdc = true
> dns_fallback = yes
>
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_realm = AD.YARA.COM
> #default_realm = DFDP.COM
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> kdc_timesync = 1
> ccache_type = 4
>
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
>
> [realms]
> DFDP.COM = {
> auth_to_local = RULE:[1:$1@$0](^.*@DFDP.COM$)
> auth_to_local = RULE:[2:$1@$0](^.*/.*@DFDP.COM$)
> user_realm = DFDP.COM
> default_domain = DFDP.COM
> }
> AD.YARA.COM = {
> default_domain = AD.YARA.COM
> admin_server = sr31022.ad.yara.com
> auth_to_local = RULE:[1:$1@$0](^.*@AD.YARA.COM$)
> auth_to_local = RULE:[2:$1@$0](^.*/.*@AD.YARA.COM$)
> user_realm = AD.YARA.COM
> }
>
> [domain_realm]
> .dfdp.com = DFDP.COM
> dfdp.com = DFDP.COM
> .ad.yara.com = AD.YARA.COM
> ad.yara.com = AD.YARA.COM
>
>
> We cannot have the config that works with BOTH domains at the same time without need to change the default_realm in [libdefaults] ?
>
> Or such it is not supported ?
>
> Regards,
> Bruno
>
More information about the Kerberos
mailing list