How to configure kerberos to support Active Directory trust

drdebate · Post by **drdebate** » 2012/08/16 21:53:34

In the past, I had no problem using Kerberos/Winbind to authenticate users off Active Directory for Samba and SSH access. We recently merged with another company and have established a forest trust between the two Active Directories but I'm not getting any authentication for users in the other domain. I believe this has to do with how I have krb5.conf set up. If it makes a difference, all permissions are group based. So, for example, I grant access to a Samba share by a particular group in AD and then add users to that group. I'd prefer to keep it that way, if possible, regardless of which forest the user is in. Here is my current krb5.conf:

[code]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clockskew = 300

[realms]
DOMAIN.LOCAL = {
kdc = ad1.domain.local
kdc = ad2.domain.local
admin_server = ad1.domain.local
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[/code]
I'm not well versed enough in Kerberos to make the necessary changes to support the trusted forest/domain. Do I need to specify the other realm? Domain? Do I need to map using capath? In researching this I could probably come up with dozens of things guess but I'm hoping somebody out there has already had to cross this bridge and would be willing to share their solution.

drdebate · Post by **drdebate** » 2012/08/17 00:22:38

Update: Apparently this configuration does work for Samba authentication of the other domain but not SSH.

Hellboy · Post by **Hellboy** » 2012/08/20 07:35:07

In your samba configuration you need the following:

allow trusted domain = yes

Make sure sshd_config allows for gssapi authentication.

CentOS