Reputation: 11
linux kerberos auth to two domains
I need auth to two independet domains on my CentOS7 via krb5. It is possible? For example when I use login name1 who is in domain1 or when I use login2 who is in domain2. Logins are unique and are not repeated in domains. My example conf file is below, I can auth only to default_realm
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN1.COM
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
DOMAIN1.COM = {
kdc = adc.domain1.com
admin_server = adc.domain1.com
}
DOMAIN2.COM = {
kdc = adc.domain2.com
kdc = adc.domain2.com
admin_server = 192.168.3.24:749
}
[domain_realm]
domain1.com = DOMAIN1.COM
.domain1.com = DOMAIN1.COM
domain2.com = DOMAIN2.COM
.domain2.com = DOMAIN2.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Upvotes: 1
Views: 1475
Answers (3)
Reputation: 4511
Contrary to the top answer, this is absolutely possible to do. There are three steps to allow switching between multiple principals for different services.
The first step is to configure your krb5.conf for each realm/domain, which it sounds like you have already done.
The second step is to configure mappings between principals and services in your ~/.k5identity file. This ensures that each service you are authenticating to uses the correct principal. The man page for .k5identity explains how to do this. I have copied the example snippet from the man page here:
[email protected] realm=KRBTEST.COM
alice/[email protected] host=*.servers.example.com
alice/[email protected] host=mail.example.com service=imap
The third step is to use a directory for your credentials cache instead of a file (which is the default). This allows for simultaneous caching of multiple different principals. You can do this by setting the KRB5CCNAME environment variable with a DIR: prefix like so:
export KRB5CCNAME=DIR:~/.krb5cc
Once you have done these steps, you should be able to kinit against one realm, then kinit against another realm, and then use your kerb-enabled services as normal. As the example above suggests, you can even use this method for multiple different principals within the same realm.
Upvotes: 0
Reputation: 9067
You can have only one "default_realm" in your config. An you are not supposed to have multiple identities at the same time (whether in the same or different realms).
A. For client/server applications that have to propagate the client identity, or impersonate the client, you have to manage that in your code (e.g. doAs() in Java) and it's not trivial
B. For running separate apps with separate identities under the same Linux account, you have to cheat with multiple krb5.conf and multiple credential caches, by setting env vars KRB5_CONFIG and KRB5CCNAME for each app
Upvotes: 2
Reputation: 5125
I think what you actually want is Trust between the two domains.
11.5.1. A Trust Relationship A trust means that the users within one realm are trusted to access the resources in another domain as if they belonged to that realm. This is done by creating a shared key for a single principal that is held in common by both domains.
This sounds like it would solve your issue.
Upvotes: -1
Related Questions
- Is it possible to authorize users from multiple AD domains?
- kerberos config single kdc with multiple domains
- Using MIT Kerberos as account domain for Windows AD Domain
- Authenticating with different Kerberos KDC in the same Java application
- Multi Domain Kerberos configuration with 1 way trust
- Authentication against Active Directory with C++ on Linux
- PHP Active Directory authentication with Kerberos
- Kerberos authentication using mod_auth_kerb against ActiveDirectory and multiple Realms
- bind Linux to Active Directory using kerberos
- Can I use two Kerberos Keytabs from a single host?