OK, threw away Kerberos and switched to NTLM which works great.
Michael Richter schrieb am Montag, 10. August 2020 um 09:42:41 UTC+2:
> Hi,
> On a Linux server I want to access a Windows server from Windows domain
> *sub.dnsdomain* using an account from parent Windows domain *dnsdomain*.
> The account has admin permissions to that server and can login using RDP.
>
> I have configured Kerberos realms for both domains on the Linux server. I
> can than get a Kerberos ticket using kinit user. I can access servers
> from *dnsdomain*. But I can not access the server from *sub.dnsdomain*.
>
> [libdefaults]
> default_realm = DNSDOMAIN
> dns_lookup_realm = false
> #ticket_lifetime = 24h
> renew_lifetime = 7d
> rdns = false
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> ticket_lifetime = 600
> kdc_timesync = 1
> ccache_type = 4
>
> # The following krb5.conf variables are only for MIT Kerberos.
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> fcc-mit-ticketflags = true
>
> [realms]
> DNSDOMAIN = {
> kdc = dc1.dnsdomain:88
> kdc = dc2.dnsdomain:88
> admin_server = dc1.dnsdomain:749
> default_domain = dnsdomain
> }
> SUB.DNSDOMAIN = {
> kdc = subdc1.sub.dnsdomain:88
> kdc = subdc2.sub.dnsdomain:88
> admin_server = subdc1.sub.dnsdomain:749
> default_domain = sub.dnsdomain
> }
>
> [domain_realm]
> .dnsdomain = DNSDOMAIN
> dnsdomain = DNSDOMAIN
> .sub.dnsdomain = SUB.DNSDOMAIN
> sub.dnsdomain = SUB.DNSDOMAIN
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
> Note: The Windows domain name differs from the DNS names. I'm not using it
> in Kerberos config.
>
> Than I can do this:
>
> $ kinit user
> Password for user@DNSDOMAIN:
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: user@DNSDOMAIN
>
> Valid starting Expires Service principal
> 07.08.2020 14:06:07 07.08.2020 14:16:00 krbtgt/DNSDOMAIN@DNSDOMAIN
> renew until 10.08.2020 14:06:07
> $ rpcclient server.dnsdomain -k
> rpcclient $> srvinfo
> XXXXXXX
> platform_id : 500
> os version : 6.3
> server type : 0x801013
> rpcclient $> quit
> $ rpcclient subserver.sub.dnsdomain -k
> Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
>
> If I try to connect via Ansible/WinRM to the server in subdomain I get the
> error:
>
> Server not found in Kerberos database
>
> How to get access to the server in subdomain using an account from parent
> domain?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c2c0e8a7-e4b6-4ea1-8430-5e0ff5494ce6n%40googlegroups.com.
