On Tue, 11 Mar 2014, Jeremy Page wrote: > I am trying to set up multi-realm authentication via SSH into an Ubuntu > box against a Windows 2008 AD forest with multiple AD domains/Kerberos > realms in it. > > Inside our network this works as I would like, assuming users UIDs are > unique - [email protected] and [email protected] both can authenticate > (I am logging in with uid@server so not specifying a realm). > > In our DMZ I can only log in via ssh if I am in the Kerberos realm > specified as the default_realm in krb5.conf. > kinit for NON default realms *works* as long as I specify the realm, > getent\ldapsearch pulls back the correct user information. No caching > (ccreds\nscd) is on the box. I can connect to the KDC's in question (as > long as I change the default realm I can log in with any user) so I > don't see anything being blocked but it seems like something must be. > > I am not sure what the next step is to troubleshoot this issue, any > suggestions would be appreciated.
I am not sure that I correctly understand the problem, particularly the bits with ssh, but the kinit part is probably easier to debug. I assume that the kinit is happening on the Ubuntu box. What version of Ubuntu (in particular, what version of the krb5-user package) is in use? One possibility is that DNS lookups which are being used to determine a realm or the location of KDCs for a realm are failing in the DMZ. You may gain some insight into what operations are being attempted by running a command like: PERFLUENCE-PRIME:~ kaduk$ KRB5_TRACE=/dev/stdout ~/dest/bin/kinit [email protected] (my default realm is ATHENA.MIT.EDU), which prints output like this: [55550] 1394594166.72935: Getting initial credentials for [email protected] [55550] 1394594166.74345: Sending request (169 bytes) to CSAIL.MIT.EDU [55550] 1394594166.109650: Resolving hostname alsatian.csail.mit.edu. [55550] 1394594166.142357: Sending initial UDP request to dgram 128.30.2.172:88 [55550] 1394594166.162827: Received answer (176 bytes) from dgram 128.30.2.172:8 -Ben Kaduk ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
