How to configure kerberos to support Active Directory trust

General support questions

How to configure kerberos to support Active Directory trust

Postby drdebate » 2012/08/16 21:53:34

In the past, I had no problem using Kerberos/Winbind to authenticate users off Active Directory for Samba and SSH access. We recently merged with another company and have established a forest trust between the two Active Directories but I'm not getting any authentication for users in the other domain. I believe this has to do with how I have krb5.conf set up. If it makes a difference, all permissions are group based. So, for example, I grant access to a Samba share by a particular group in AD and then add users to that group. I'd prefer to keep it that way, if possible, regardless of which forest the user is in. Here is my current krb5.conf:

Code: Select all
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 clockskew = 300

[realms]
 DOMAIN.LOCAL = {
  kdc = ad1.domain.local
  kdc = ad2.domain.local
  admin_server = ad1.domain.local
  default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

I'm not well versed enough in Kerberos to make the necessary changes to support the trusted forest/domain. Do I need to specify the other realm? Domain? Do I need to map using capath? In researching this I could probably come up with dozens of things guess but I'm hoping somebody out there has already had to cross this bridge and would be willing to share their solution.
drdebate
 
Posts: 3
Joined: 2012/03/27 21:12:46

Re: How to configure kerberos to support Active Directory trust

Postby drdebate » 2012/08/17 00:22:38

Update: Apparently this configuration does work for Samba authentication of the other domain but not SSH.
drdebate
 
Posts: 3
Joined: 2012/03/27 21:12:46

How to configure kerberos to support Active Directory trust

Postby Hellboy » 2012/08/20 07:35:07

In your samba configuration you need the following:

allow trusted domain = yes

Make sure sshd_config allows for gssapi authentication.
Hellboy
 
Posts: 53
Joined: 2010/07/18 09:46:18


Return to CentOS 6 - General Support

Who is online

Users browsing this forum: No registered users and 10 guests