CODEWITHSUNDEEP
sshactive-directorykerberosrhel
Pumices
Pumices

Reputation: 315

Kerberos Authentication Across Multiple Domains and Network Interfaces

I am trying to figure out how to set up passwordless Kerberos authentication with some unusual requirements.

-- The Setup --

There are 2 networks: N1 and N2.

There are 2 locations: the first location is where all the workstations are located and only has access to network N1, the second is where all the servers are located which are connected to N1 and N2.

All of the workstations are windows machine, use the domain *.example.com, and are managed via a windows domain server.

All of the servers are RHEL machines and have two domain names: *.a.example.com [the server's address on network N1] and *.b.example.com [the server's address on network N2].

-- The Need --

I need a user to be able to ssh into a server over network N1, this can be done via password or Kerberos. From that server, the user needs to be able to passwordless ssh into all the other servers using either of the server's domain names.

-- What I've Tried --

A lot, I've been trying to make this work for 3-4 weeks now but I'll go over where I'm currently at as it seems to be the closest.

In this setup I'm able to ssh via password from a workstation to server1.a.example.com and from there I can ssh without password to any other serverX.a.example.com all over network N1 as expected.

The problem is when I try to ssh into serverX.b.example.com I get a "Server not found in Kerberos database". I was hoping by adding the b.example.com domain controller and manually adding the host I would add that machine to the database but it did not.

I've reached the limit of my knowledge of Kerberos, Active Directory, and SSH so I have just been going in circles the last week or so. Any help would be greatly appreciated.

-- Config Files --

krb5.conf

includedir /var/lib/sss/pubconf/krb5.include.d/
includedir /etc/krb5.conf.d/

[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

[libdefaults]
   dns_lookup_realm = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = false
   rdns = false
   pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
   spake_preauth_groups = edwards25519
   default_realm = A.EXAMPLE.COM
   default_ccache_name = KEYRING:persistent:%{uid}
   dns_canonicalize_hostname = true
   ignore_acceptor_hostname = true

[realms]
A.EXAMPLE.COM = {
   kdc = aserver.a.example.com
   admin_server = aserver.a.example.com
}
B.EXAMPLE.COM = {
   kdc = bserver.b.example.com
   admin_server = bserver.b.example.com
}
EXAMPLE.COM = {
   kdc = server.example.com
   admin_server = server.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.a.example.com = A.EXAMPLE.COM
a.example.com = A.EXAMPLE.COM
.b.example.com = B.EXAMPLE.COM
b.example.com = B.EXAMPLE.COM

sssd.conf

[sssd]
default_domain_suffix = a.example.com
domains = a.example.com, b.example.com
config_file_version = 2
services = nss,pam,ssh

[domain/a.example.com]
ad_domain = a.example.com
krb5_realm = A.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

# I have tried both with and without this block
[domain/b.example.com]
ad_domain = b.example.com
krb5_realm = B.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication yes
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck no

UsePam yes
X11Forwarding yes
PrintMotd yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp /usr/libexec/openssh/sftp-server

EDIT

-- Additional Details --

Below is the keytab for serverx once I realm join a.example.com

[email protected]
[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
RestrictedKrbHost/[email protected]
RestrictedKrbHost/[email protected]
RestrictedKrbHost/[email protected]
RestrictedKrbHost/[email protected]

When I ssh from server1, I get a tgt from the b.example.com server but Kerberos is looking for host/[email protected] which the host does not have in its keytab. Maybe if I manually add those entries it might work.

EDIT 2

That will not work because it never even passes the ticket to serverx, the domain server returns the error "TGS request result: -1765328377/Server not found in Kerberos database"

So I guess the question is how do I manually add a host into the windows domain Kerberos database.

EDIT 3

I tried adding the SPN host/[email protected] and RestrictedKrbHost/[email protected] to SERVERX computer in the a.example.com domain controller but now I get a "Illegal cross-realm ticket"

So I removed those and tried adding them to the SERVERX computer in the b.example.com domain controller but then I get a "The ticket isn't for us" error

EDIT 4

Now I have added host/[email protected] and RestrictedKrbHost/[email protected] to the SERVERX computer in the b.example.com domain controller and host/[email protected] to SERVERX keytab.

This gets me close but the issue is the kvno number (and likely the encryption key) do not match. Because on serverx they are set via the a.example.com domain controller, but when server1 requests a ticket it gets it from the b.example.com domain controller.

Now I have to figure out how to create the SPN in the b.example.com domain controller using the encryption key and kvno from the a.example.com domain controller. This sounds unlikely to be allowed.

Upvotes: 1

Views: 4421

Answers (1)

Pumices
Pumices

Reputation: 315

THE SOLUTION

Process listed below

  • Make sure you have enabled limited encryption types for Kerberos on the domain server to AES128_HMAC_SHA1 + AES256_HMAC_SHA1 + Future Encryption Types.
  • Make sure each user account has "This account supports Kerberos AES 128/256 bit encryption" enabled
  • Add the host manually as a computer to both a & b domain servers
  • Join server1 to domain a
  • Join serverx to domain a
  • On domain server b run the following command 
    ktpass /princ host/[email protected] /out severx.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL -desonly /mapuser B\serverx +setupn +rndPass +setpass +answer
  • Securely copy serverx.keytab to serverx
  • On serverx merge the keytabs using ktutil 
    > ktutil
ktutil: read_kt /etc/krb5.keytab
ktutil: read_kt serverx.keytab
ktutil: write_kt /etc/krb5.keytab
ktutil: quit
  • Make sure to destroy any existing tickets and it should all work.
  • Lament the weeks of time spent on this

All that is left is to write some scripts to automate this so I don't have to do it manually for a large number of machines.

Upvotes: 0

Related Questions