On Mon, 2018-04-09 at 16:35 +0200, Sumit Bose wrote:
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.
> 
> 
> On Fri, Apr 06, 2018 at 10:21:11PM +0200, Bastian Rosner wrote:
> > On 04/06/2018 09:59 PM, Jakub Hrozek wrote:
> > > 
> > > 
> > > > On 6 Apr 2018, at 17:54, Bastian Rosner <bro-s...@d00m.org> wrote:
> > > > 
> > > > Unfortunately, users from other domains can't use their Kerberos 
> > > > ticket, only password works. These users are specifying their domain on 
> > > > login.
> > > 
> > > This all sounds like the issue is not on the SSSD level, but either the 
> > > krb5.conf configuration might be perhaps missing the domain-realm 
> > > mappings, but what you said next was interesting:
> > 
> > This is the krb5.conf for a host in one of the other domains. My client
> > (both computer and user) is in sub1 and logs in to a host in sub2.
> > $ cat /etc/krb5.conf
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> > 
> > [libdefaults]
> >  default_realm = SUB2.EXAMPLE.COM
> >  dns_lookup_realm = true
> >  dns_lookup_kdc = true
> >  ticket_lifetime = 24h
> >  renew_lifetime = 7d
> >  forwardable = true
> >  rdns = false
> > 
> > Do I have to specify all domains in here? I thought the site/forest
> > discovery of sssd-ad should take care of all the other trusted subdomains.
> > 
> > > > Surprisingly, once logged in after authenticating with a password, 
> > > > foreign-domain users are able to issue a Kerberos ticket with kinit if 
> > > > they specify username@FQDN
> > > 
> > > Hmm, are you saying that if you log in with a password you don’t get a 
> > > TGT?
> > 
> > Actually I do get a ticket after a logging in using password:
> > $ klist
> > Ticket cache: FILE:/tmp/krb5cc_94821677_hr943p
> > Default principal: b...@sub1.example.com
> > 
> > Valid starting       Expires              Service principal
> > 04/06/2018 16:09:54  04/07/2018 02:09:54
> > krbtgt/sub1.example....@sub1.example.com
> >       renew until 04/13/2018 16:09:54
> > 
> > This ticket does not work on sub2 hosts but can be used for gssapi-with-mic
> > based authentication in sub1.

You might want to try this in krb5.conf:
[libdefaults]
        default_realm = DEF.COM

[realms]
        DEF.COM = {
                     default_domain = def.com
                     auth_to_local = RULE:[1:$1]
                     auth_to_local = RULE:[2:$1]
                     auth_to_local = DEFAULT
        }
        SUB.COM = {
                     default_domain = sub.com
                     auth_to_local = RULE:[1:$1]
                     auth_to_local = RULE:[2:$1]
                     auth_to_local = DEFAULT
        }

 Jocke
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to