[TriLUG] kerberos / ssh questions

Dewey Hylton via TriLUG trilug at trilug.org
Tue Mar 28 17:34:57 EDT 2017 

i have two AD domains, connected via one-way trust. i have centos7 installations on
each side of that trust, each joined to their respective AD via realmd (and sssd).
all user objects are in the trusted domain. an AD user can connect via ssh to a
trusted linux box, authenticate, have their home directory created, and achieve a
shell session. works like a charm. not so much on a trusting box, however. the
trusting box has access to its kdc (windows domain controller) but is blocked from
the trusted kdc via firewall. basically, the trusted realm is corporate, whereas
the trusting realm is in DMZ.

research shows a post about a year old stating that cross-domain trusts in the AD
world weren't working at that point - i haven't found anything newer than that. that
was for sssd. any suggestions for making this work would be gratefully accepted.

meanwhile, on the trusting boxes i've installed pam_krb5 and am able to achieve an
ssh session with a trusted user account. currently this requires creating an
appropriately-named user on the trusting box, and add the username at REALM to that
user's ~/.k5login file ... that does work, but is of course a manual process.

so a few questions for those who may have a better grip on this than i do:

1) is there a krb5.conf configuration item which would prevent the need for the
   .k5login file? i've attempted three or four things found in the documentation
   for pam_krb5(5) and krb5.conf(5), such as:
   - always_allow_localname
   - ignore_k5login
   - auth_to_local
   ... i've also attempted to provide arguments to pam_krb5 in the pam config files
   but none seemed to make a difference at all - user logs in with proper .k5login
   and fails without.

2) if i could get past #1, a hint/recipe for auto-creating the home directory would
   be extremely helpful as well. i've played with oddjob-mkhomedir but think i may
   have a chicken-and-egg issue. it's also possible that i just don't understand
   how to properly configure it with regards to pam. no, actually that's a fact.

3) is anyone else doing anything similar? any success with the cross-realm thing
   with sssd that i'm missing out on?

4) kinit followed by ssh works great from other linux boxes ... bitvise seems to
   work reliably on the windows side, putty does not. hints in that area are 
   welcomed too ...

More information about the TriLUG mailing list