SSH using Kerberos in 2 AD domains

Greg Hudson ghudson at mit.edu
Mon Aug 19 00:03:22 EDT 2019 

The text of this message seems to have been eaten by the mailing list
software (perhaps it was sent as an attachment?); I have it from the
moderation queue.

For historical reasons, auth_to_local rules are read from the default
realm, not the realm of the principal being authorized.  So you need to
put all of the auth_to_local rules in the same subsection, and use rules
like this (from
https://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html):

    auth_to_local = RULE:[1:$1@$0](.*@DFDP\.COM)s/@DFDP\.COM$//


> 
> Hi,
>  
> I'm trying to SSH using Kerberos tickets in Linux Machines joined to both domains (2 diff Domains in MS AD).
>  
> Both domains work independently if I change the entry   default_realm = AD.YARA.COM to default_realm = DFDP.COM
>  
> Then ssh works with DFDP.COM 
>  
> if I change the default_realm = DFDP.COM to default_realm = AD.YARA.COM
>  
> Then ssh works with AD.YARA.COM
>  
>  
> Here my config:
>  
> cat /etc/krb5.conf
> [libdefaults]
>   ignore_acceptor_hostname = true
>   k5login_authoritative = false
>   dns_canonicalize_hostname = false
>   canonicalize = true
>   allow_weak_crypto = true
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   dns_fallback = yes
> 
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
>   default_realm = AD.YARA.COM
>   #default_realm = DFDP.COM
>   default_ccache_name = FILE:/tmp/krb5cc_%{uid}
>   kdc_timesync = 1
>   ccache_type = 4
>  
>   default_tkt_enctypes = aes256-cts-hmac-sha1-96
>   default_tgs_enctypes = aes256-cts-hmac-sha1-96
> 
> [realms]
>   DFDP.COM = {
>     auth_to_local = RULE:[1:$1@$0](^.*@DFDP.COM$)
>     auth_to_local = RULE:[2:$1@$0](^.*/.*@DFDP.COM$)
>     user_realm = DFDP.COM
>     default_domain = DFDP.COM
>   }
>   AD.YARA.COM = {
>     default_domain = AD.YARA.COM
>     admin_server = sr31022.ad.yara.com
>     auth_to_local = RULE:[1:$1@$0](^.*@AD.YARA.COM$)
>     auth_to_local = RULE:[2:$1@$0](^.*/.*@AD.YARA.COM$)
>     user_realm = AD.YARA.COM
>   }
>  
> [domain_realm]
>   .dfdp.com = DFDP.COM
>   dfdp.com = DFDP.COM
>   .ad.yara.com = AD.YARA.COM
>   ad.yara.com = AD.YARA.COM
>  
>  
> We cannot have the config that works with BOTH domains at the same time without need to change the default_realm in [libdefaults] ?
>  
> Or such it is not supported ? 
>  
> Regards,
> Bruno
>

More information about the Kerberos mailing list