Kerberos Database Sync with Sub-Domains

Jonathan Towles jjtowles at synterex.com
Tue Jul 14 09:22:16 EDT 2020


So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?

That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?

Jon Towles
CTO, Synterex
(m) 978-609-5545

  

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Tuesday, July 14, 2020 8:38 AM
To: Jonathan Towles <jjtowles at synterex.com>
Cc: Bryan Mesich <bryan.mesich at digikey.com>; kerberos at mit.edu
Subject: Re: Kerberos Database Sync with Sub-Domains

On Tue, Jul 14, 2020 at 2:23 PM Jonathan Towles <jjtowles at synterex.com> wrote:
>
> Hi Bryan,
>
> I think essentially the issue/question that comes up is what happens when you have say 5 domains, and you have people with the say domain name in those 5 domains.
>
> So here's the use case:
>
> Let's say I have 5 domains:
>
> Synterex.com
> Boston.synterex.com
> Ny.synterex.com
> Miami.synterex.com
> Dallas.synterex.com
>
> When I move to Office 365, I have to make my SMTP and UPN match. This 
> will now make it so everyone in all 5 domains has a UPN ending in 
> synterex.com

You can use enterprise principal name to work with UPNs, e.g. kinit -E user at synterex.com (the realm will get canonicalized, and with -C the name too).

> So, now I have an issue where you have user accounts in 5 domains all with the same REALM of SYNTEREX.COM.
>
> In this situation, there's only two ways this can still work:
>
> 1. You move everyone to the synterex.com domain which can be a real 
> nightmare 2. You find a way to point all authentication against the 
> Synterex.com KDC and still be able to get tickets for users living in 
> the sub-domains
>
> I'm not sure if you can actually make #2 work or not. When I have tried, I get user not found in the database issues.
>
> Jon Towles
> CTO, Synterex
> (m) 978-609-5545
>
>
>
> -----Original Message-----
> From: Bryan Mesich <bryan.mesich at digikey.com>
> Sent: Monday, July 13, 2020 11:01 PM
> To: Jonathan Towles <jjtowles at synterex.com>
> Cc: kerberos at mit.edu
> Subject: Re: Kerberos Database Sync with Sub-Domains
>
> On Mon, Jul 13, 2020 at 06:58:39PM +0000, Jonathan Towles wrote:
> > Hi All,
>
> Hello,
>
> > I wanted to ask a question that I have been unable to get clear information on.
> >
> > Is it technically or functionally possible to get a Kerberos ticket 
> > for someone in the sub-domain against the parent domain
> >
> > Example:
> > User jon at boston.synterex.com<mailto:jon at boston.synterex.com> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.
>
> It is unclear to me based on your example if you are using one or 
> multiple realms in your environment.  Either way, you would want to 
> have a properly configured krb5.conf that contains the Kerberos 
> Realm(s) and domain-to-realm mapping information.  A single realm 
> might look like the
> following:
>
> [realms]
>   SYNTEREC.COM = {
>         kdc = dc01.synterex.com
>         admin_server = dc01.synterex.com
>   }
>
> [domain_realm]
>   .synterex.com = SYNTEREC.COM
>
> The above configuration would cause the client to request tickets from 
> the SYNTEREC.COM realm if the domain name contains .synterex.com 
> (which covers all subdomains as well).  A multiple realm configuration 
> might look like the following:
>
> [realms]
>   BOSTON.SYNTEREC.COM = {
>         kdc = dc01.boston.synterex.com
>         admin_server = dc01.boston.synterex.com
>   }
>   ATLANTA.SYNTEREC.COM = {
>         kdc = dc01.atlanta.synterex.com
>         admin_server = dc01.atlants.synterex.com
>   }
>
> [domain_realm]
>   .boston.synterex.com = BOSTON.SYNTEREC.COM
>   .atlanta.synterex.com = ATLANTA.SYNTEREC.COM
>
> In this case, each subdomain has its own kerberos REALM.  The 
> domain_realm section maps the domain to the correct realm.
>
> It is also possible to request a service ticket from a different realm 
> from which you have a valid TGT.  A cross-realm trust would need to be 
> setup to allow this.  We have this setup between our MIT Kerberos 
> realm and Active Directory realm (works quite nicely).
>
> "User is not found in the database" can often point at user mapping 
> issue between your Unix/AD environment.  In your example, you would 
> want to make sure your AD user account "jon" exists (or change the 
> userPrincipalName attribute in AD to match your Unix account).  You 
> can also try specifying the principal name manually using kinit:
>
>         kinit jon at SYNTEREX.COM
>
> Based off your email address and the fact that the domains being used 
> in your example match, your AD user name could be jjtowles.  In that 
> case, make sure your krb5.conf is configured properly and try using 
> kinit with:
>
>         kinit jjtowles at SYNTEREX.COM
>
> If the above works, then you'll have to change your userPrincipalName 
> attribute in AD to match your Unix account, or change your Unix 
> account name to match your AD account.  Without making the change, 
> using Kerberos with ssh is useless due to the fact your principal name 
> doesn't match your Unix ID.
>
> > I didn't think that it was, but I wanted to check and see if anyone knows.
>
> Good luck!
>
> Bryan
>
> > Jon Towles
> > CTO, Synterex
> > (m) 978-609-5545
> >
> > [VMware Certified Professional - Digital Workspace 2020][VMware 
> > Certified Professional - Desktop and Mobility 
> > 2020][cid:image003.jpg at 01D65926.16A527C0] 
> > [cid:image004.png at 01D65926.16A527C0]  
> > [cid:image005.png at 01D65926.16A527C0] 
> > [cid:image006.png at 01D65926.16A527C0]
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Bryan Mesich
> Sr. System Administrator
> DIGI-KEY ELECTRONICS
> +1 218.681.8000 x16104
>
> Powered by Linux 4.18.0-147.0.3.el8_1.x86_64
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list