Hi,
On a Linux server I want to access a Windows server from Windows domain
*sub.dnsdomain* using an account from parent Windows domain *dnsdomain*.
The account has admin permissions to that server and can login using RDP.
I have configured Kerberos realms for both domains on the Linux server. I
can than get a Kerberos ticket using kinit user. I can access servers from
*dnsdomain*. But I can not access the server from *sub.dnsdomain*.
[libdefaults]
default_realm = DNSDOMAIN
dns_lookup_realm = false
#ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DNSDOMAIN = {
kdc = dc1.dnsdomain:88
kdc = dc2.dnsdomain:88
admin_server = dc1.dnsdomain:749
default_domain = dnsdomain
}
SUB.DNSDOMAIN = {
kdc = subdc1.sub.dnsdomain:88
kdc = subdc2.sub.dnsdomain:88
admin_server = subdc1.sub.dnsdomain:749
default_domain = sub.dnsdomain
}
[domain_realm]
.dnsdomain = DNSDOMAIN
dnsdomain = DNSDOMAIN
.sub.dnsdomain = SUB.DNSDOMAIN
sub.dnsdomain = SUB.DNSDOMAIN
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
Note: The Windows domain name differs from the DNS names. I'm not using it
in Kerberos config.
Than I can do this:
$ kinit user
Password for user@DNSDOMAIN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DNSDOMAIN
Valid starting Expires Service principal
07.08.2020 14:06:07 07.08.2020 14:16:00 krbtgt/DNSDOMAIN@DNSDOMAIN
renew until 10.08.2020 14:06:07
$ rpcclient server.dnsdomain -k
rpcclient $> srvinfo
XXXXXXX
platform_id : 500
os version : 6.3
server type : 0x801013
rpcclient $> quit
$ rpcclient subserver.sub.dnsdomain -k
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
If I try to connect via Ansible/WinRM to the server in subdomain I get the
error:
Server not found in Kerberos database
How to get access to the server in subdomain using an account from parent
domain?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cf9fc2fd-11ba-4142-8fc3-0f72896dd0dfn%40googlegroups.com.
