Reputation: 51
Using MIT Kerberos as account domain for Windows AD Domain
We have mostly Linux users who login via Kerberos. But we also have a few (<50) users who use both Linux and Windows. This is supposed to grow in the future. We would like to keep our User database on the Unix/Kerberos side.
But for some reason that eludes me I can not get it to work yet.
I did the following after reading some guides (domains anonymized):
1) Add the ADDC to /etc/krb5.conf on the linux KDC and Linux hosts
AD.DOMAIN = {
kdc = PDC.AD.DOMAIN
admin_server = PDC.AD.DOMAIN
default_domain = ad.domain
}
2) Add cross realm principals on the Linux side
addprinc -pw <longPW> -requires_preauth [email protected]
addprinc -pw <longPW> -requires_preauth krbtgt/[email protected]
addprinc -pw <longPW> -requires_preauth krbtgt/[email protected]
3) Add realm info via ksetup to Windows ADDC and other Windows machines
ksetup
default realm = ad.domain (NT Domain)
LINUX.REALM:
kdc = kdc.linux.realm
kpasswd = kdc.linux.realm
Realm Flags = 0x0No Realm Flags
Mapping all users (*) to a local account by the same name (*).
4) Add Two-Way trust on Windows side via
netdom trust /d:LINUX.REALM ad /add /PT:longPW /realm /twoway
Check returns
nltest /TRUSTED_DOMAINS
List of domain trusts:
0: LINUX.REALM (MIT) (Direct Outbound) (Direct Inbound) ( Attr: non-trans )
1: AD ad.domain (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully
But also
netdom trust lst /d:LINUX.REALM /verify /KERBEROS /twoway
The command failed to complete successfully.
5) Add mapping to users
altSecurityIdentities for user ad\test shows kerberos: [email protected]
I can login with ad\test (which is not what I want) but I can not log in as [email protected] which is what I wanted
On the other hand:
kinit [email protected]
Password for [email protected]:
root@kdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
21/07/2017 13:24 21/07/2017 23:24 krbtgt/[email protected]
renew until 22/07/2017 13:24
My problem: I cannot login on the windows side with principals [email protected]. As written in the topic we want the Linux Realm to be the account domain, not the AD, which should be possible as well, shouldn't it? We only want to have to handle account creation, deletion etc. in the Linux Realm, having the Windows Users log in with their Linux Account/Password.
What am I missing?
Upvotes: 2
Views: 1741
Answers (1)
Reputation: 51
Doing
ksetup /addhosttorealmmap .dns.domain LINUX.REALM
on each windows client mostly fixed this problem.
I can now login with [email protected] to the windows client with correct mapping.
Upvotes: 1
Related Questions
- linux kerberos auth to two domains
- Kerberos on Windows Server out of domain
- Is it possible to authorize users from multiple AD domains?
- Java SSO: Kerberos authentication against Active Directory
- Kerberos authentication from virtual machine (Ubuntu)
- Kerberos Authentication always unsuccessful
- Authentication against Active Directory with C++ on Linux
- MIT Kerberos for Windows w/ PuTTY & AD (MSLSA)
- Authenticating with Active Directory via Kerberos
- bind Linux to Active Directory using kerberos