sso with mit<->ad-domain problem: no tgt for the mit-realm on the clients in ad-domain - Kerberos

This is a discussion on sso with mit<->ad-domain problem: no tgt for the mit-realm on the clients in ad-domain - Kerberos ; Hi, ive set up a MIT-realm MIT.FLUXCOIL.NET and a AD-domain WIN.FLUXCOIL.NET with a crossrealm trust (so i think). A user just known in the MIT-realm can after using kinit -f jump around between the ssh-servers in the MIT-realm fine, getting ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: sso with mit<->ad-domain problem: no tgt for the mit-realm on the clients in ad-domain

  1. sso with mit<->ad-domain problem: no tgt for the mit-realm on the clients in ad-domain


    Hi,

    ive set up a MIT-realm MIT.FLUXCOIL.NET and a AD-domain WIN.FLUXCOIL.NET
    with a crossrealm trust (so i think).
    A user just known in the MIT-realm can after using kinit -f jump around
    between the ssh-servers in the MIT-realm fine, getting the credentials
    forwarded.

    When a user in the AD-domain logs onto his workstation he gets his
    krbtgt/WIN.FLUXCOIL.NET@WIN.FLUXCOIL.NET .
    Using the kerberos-patched putty the user can log onto the ssh-servers
    in the MIT-realm without having to enter a password. According to the
    NetworkIdentityManager from KfW the user got a krbtgt/MIT.FLUXCOIL.NET
    now.

    The problem: trying to log onto the other ssh-servers in the MIT-realm
    doesnt work, when asked for the password its not accepted.
    When logged on there klist shows just the users ticket
    krbtgt/WIN.FLUXCOIL.NET@WIN.FLUXCOIL.NET .

    Trying when sshd runs with 'GSSAPIAuthentication yes':
    ssh -vvv gives the error "Server not found in Kerberos
    database".
    The server i try to log on tries to connect the AD-KDC, it does a
    TGS-REQ for krbtgt/MIT.FLUXCOIL.NET@WIN.FLUXCOIL.NET, for encryption
    types 3des-cbc and rc4-hmac, which the AD-server doesnt provide and
    sends a KRB5KDC_ERR_ETYPE_NOSUPP.
    Changing all encoding-types in /etc/krb5.conf didnt help, the sshd
    still asks for 3des and rc4 (probably hardcoded?).


    Shouldnt the krbtgt/MIT.FLUXCOIL.NET get forwarded?
    Using pam_krb5 didnt give me better results.
    What is the problem here?


    Thanks for hints, Christian.

  2. Re: sso with mit<->ad-domain problem: no tgt for the mit-realm on the clients in ad-domain

    On 2007-06-25, Christian Horn wrote:
    >
    > ive set up a MIT-realm MIT.FLUXCOIL.NET and a AD-domain WIN.FLUXCOIL.NET
    > with a crossrealm trust (so i think).
    > A user just known in the MIT-realm can after using kinit -f jump around
    > between the ssh-servers in the MIT-realm fine, getting the credentials
    > forwarded.
    >
    > When a user in the AD-domain logs onto his workstation he gets his
    > krbtgt/WIN.FLUXCOIL.NET@WIN.FLUXCOIL.NET .
    > Using the kerberos-patched putty the user can log onto the ssh-servers
    > in the MIT-realm without having to enter a password. According to the
    > NetworkIdentityManager from KfW the user got a krbtgt/MIT.FLUXCOIL.NET
    > now.
    >
    > The problem: trying to log onto the other ssh-servers in the MIT-realm
    > doesnt work, when asked for the password its not accepted.


    I got SSO for the users in the AD-domain working now.
    Still unsure what made it working. On the AD-server i created mappings
    for the domain-users to kerberos-realm, thought bevore this wasnt needed.
    The cross-realm setup is also nicely described in oreillys 'kerberos:
    the definitive guide'.

    Also i will look if really DES is needed in some places in the setup,
    using this old crypto nowadays is not contributing much to a good
    security-state of the setup.

    I will document my setup after my vacation that starts right now.


    Christian

+ Reply to Thread