Authenticate in multiple realms

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticate in multiple realms

Ragnar Sundblad-2

Hello all,

In a transition phase while migrating services from one realm to
another, we would like to authenticate users in both the old and
the new realm (the users (will) have the same username in both
realms).

I want both the services to auth foo@A and foo@B as user foo,
and password swallowing things, like the pam module, to try
checking out tickets in both realm A and B. (The pam thing could
probably be solved with multiple calls to the module, but there
may be more cases that should be handled.)

I believe I have heard that you can somehow have multiple
"default_realm" entries. Is this true? Is it recommended?

Thanks for any hints or ideas!

/ragge

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Lars-Johan Liman
[hidden email]:
> Hello all,

Hi, Ragge! Long time no see! :-)

> In a transition phase while migrating services from one realm to
> another, we would like to authenticate users in both the old and
> the new realm (the users (will) have the same username in both
> realms).

> I want both the services to auth foo@A and foo@B as user foo,
> and password swallowing things, like the pam module, to try
> checking out tickets in both realm A and B. (The pam thing could
> probably be solved with multiple calls to the module, but there
> may be more cases that should be handled.)

> I believe I have heard that you can somehow have multiple
> "default_realm" entries. Is this true? Is it recommended?

> Thanks for any hints or ideas!

Can't this be done using ordinary cross-realm authentication?

https://github.com/heimdal/heimdal/wiki/Cross-realm

                                Cheers,
                                  /Liman
                                   (Using my old e-mail address as I've
                                   forgotten to change on this list.
                                   Will do ...)
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.               !  E-mail: [hidden email]
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/
#----------------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Love Hörnquist Åstrand
In reply to this post by Ragnar Sundblad-2

> 18 nov 2014 kl. 09:31 skrev Ragnar Sundblad <[hidden email]>:
>
>
> Hello all,
>
> In a transition phase while migrating services from one realm to
> another, we would like to authenticate users in both the old and
> the new realm (the users (will) have the same username in both
> realms).
>
> I want both the services to auth foo@A and foo@B as user foo,
> and password swallowing things, like the pam module, to try
> checking out tickets in both realm A and B. (The pam thing could
> probably be solved with multiple calls to the module, but there
> may be more cases that should be handled.)
>
> I believe I have heard that you can somehow have multiple
> "default_realm" entries. Is this true? Is it recommended?

It used to work once upon a time.

The default_realm trick only gets you there partway, you also need to fix all native clients that today doesn’t have any support like that.

Nico’s an2ln fixup in the upcoming 1.6 release might partly help you there.

Getting both credentials are long term not going to help you, its just complicated and most tools doesn’t deal right when there is more then one.

A flag day is the best, track down the most use servers (you have the KDC logs) and fix them over a a weekend, most of the work can be prepared.

Love

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Ragnar Sundblad-2
In reply to this post by Lars-Johan Liman

> On 18 nov 2014, at 10:17, Lars-Johan Liman <[hidden email]> wrote:
>
> [hidden email]:
>> Hello all,
>
> Hi, Ragge! Long time no see! :-)

Hi Liman!

>> In a transition phase while migrating services from one realm to
>> another, we would like to authenticate users in both the old and
>> the new realm (the users (will) have the same username in both
>> realms).
>
>> I want both the services to auth foo@A and foo@B as user foo,
>> and password swallowing things, like the pam module, to try
>> checking out tickets in both realm A and B. (The pam thing could
>> probably be solved with multiple calls to the module, but there
>> may be more cases that should be handled.)
>
>> I believe I have heard that you can somehow have multiple
>> "default_realm" entries. Is this true? Is it recommended?
>
>> Thanks for any hints or ideas!
>
> Can't this be done using ordinary cross-realm authentication?

Yes, but we would like to avoid having to mess with everybodys
.k5login, afs access lists and groups, cyrus access lists, etc.

/ragge

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Ragnar Sundblad-2
In reply to this post by Love Hörnquist Åstrand

> On 18 nov 2014, at 11:18, Love Hörnquist Åstrand <[hidden email]> wrote:
>
>
>> 18 nov 2014 kl. 09:31 skrev Ragnar Sundblad <[hidden email]>:
>>
>>
>> Hello all,
>>
>> In a transition phase while migrating services from one realm to
>> another, we would like to authenticate users in both the old and
>> the new realm (the users (will) have the same username in both
>> realms).
>>
>> I want both the services to auth foo@A and foo@B as user foo,
>> and password swallowing things, like the pam module, to try
>> checking out tickets in both realm A and B. (The pam thing could
>> probably be solved with multiple calls to the module, but there
>> may be more cases that should be handled.)
>>
>> I believe I have heard that you can somehow have multiple
>> "default_realm" entries. Is this true? Is it recommended?
>
> It used to work once upon a time.

Is there something that is known not to work anymore?

> The default_realm trick only gets you there partway, you also need to fix all native clients that today doesn’t have any support like that.

My thought was that that is why it would be nice like to have both
realms working at the same time for the services, so we can have
some time to make the transition and find all of those who needs
some reconfiguration or similar.
But maybe I am missing something - do you have an example?

> Nico’s an2ln fixup in the upcoming 1.6 release might partly help you there.

Ok, thanks! I'll look into that.

> Getting both credentials are long term not going to help you, its just complicated and most tools doesn’t deal right when there is more then one.

My thought was that the user should get credentials only from the
first realm that she successfully authenticates to (and the first
one should be the now one). When people are not any more
authenticating in the old realm, the transition is done.

> A flag day is the best, track down the most use servers (you have the KDC logs) and fix them over a a weekend, most of the work can be prepared.

Ok. I would like to avoid that - all problems need to be either found
and solved beforehand, or will be discovered and need to be solved
in a short time after - problems including ancient krb5.confs on
users' own machines, hard realm mappings in strange kerberized
clients, etc etc.

/ragge

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Booker Bense-3


On Tue, Nov 18, 2014 at 11:39 AM, Ragnar Sundblad <[hidden email]> wrote:


> A flag day is the best, track down the most use servers (you have the KDC logs) and fix them over a a weekend, most of the work can be prepared.

Ok. I would like to avoid that - all problems need to be either found
and solved beforehand, or will be discovered and need to be solved
in a short time after - problems including ancient krb5.confs on
users' own machines, hard realm mappings in strange kerberized
clients, etc etc.

/ragge


You are damned if you do and damned if you don't. Kerberos realms are incredibly sticky; which is why most people
never attempt to switch realms. It's really a question of how long you want the pain to last. The dual ticket solution is 
going to be a long ongoing source of weird hacks and problems and some services simply won't work without a huge
amount of hacking. Unless you've got a strong team and source code to every critical application, it will be the death
of a thousand cuts. I would only attempt it if kerberos was only being used for one or two applications. 

The flag day will suck, but at least once you solve a problem, you will have solved it in the long term.

One thing that might help a lot is to have password syncing on the back end to ensure that the new realm
can be a "drop in" replacement for the old realm.


- Booker C. Bense 
Reply | Threaded
Open this post in threaded view
|

Re: Authenticate in multiple realms

Henry B Hotz
Just my $0.02, but I’d go the cross-realm route. Use Nico’s auth to local stuff if it helps for any service. Note that MIT has a similar capability.

I’m assuming that you really can auto-provision everyone in both realms with the same password, and you know which realm every service is operating in. Then you can define every service’s realm in the [domain_realm] section on the kdc’s and the clients should take care of themselves.

You can spread out the pain of moving all your clients and servers over for as long as you want. When done, just turn off the old realm and nothing will happen.

It should be trivially obvious that I’m not oversimplifying anything. ;-)

On Dec 3, 2014, at 8:17 AM, Booker Bense <[hidden email]> wrote:

>
>
> On Tue, Nov 18, 2014 at 11:39 AM, Ragnar Sundblad <[hidden email]> wrote:
>
>
> > A flag day is the best, track down the most use servers (you have the KDC logs) and fix them over a a weekend, most of the work can be prepared.
>
> Ok. I would like to avoid that - all problems need to be either found
> and solved beforehand, or will be discovered and need to be solved
> in a short time after - problems including ancient krb5.confs on
> users' own machines, hard realm mappings in strange kerberized
> clients, etc etc.
>
> /ragge
>
>
> You are damned if you do and damned if you don't. Kerberos realms are incredibly sticky; which is why most people
> never attempt to switch realms. It's really a question of how long you want the pain to last. The dual ticket solution is
> going to be a long ongoing source of weird hacks and problems and some services simply won't work without a huge
> amount of hacking. Unless you've got a strong team and source code to every critical application, it will be the death
> of a thousand cuts. I would only attempt it if kerberos was only being used for one or two applications.
>
> The flag day will suck, but at least once you solve a problem, you will have solved it in the long term.
>
> One thing that might help a lot is to have password syncing on the back end to ensure that the new realm
> can be a "drop in" replacement for the old realm.
>
> http://www.eyrie.org/~eagle/software/krb5-sync/
>
> - Booker C. Bense

Personal email.  [hidden email]