Kerberos Database Sync with Sub-Domains

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos Database Sync with Sub-Domains

Jonathan Towles
Hi All,

I wanted to ask a question that I have been unable to get clear information on.

Is it technically or functionally possible to get a Kerberos ticket for someone in the sub-domain against the parent domain

Example:

User [hidden email]<mailto:[hidden email]> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.

I didn't think that it was, but I wanted to check and see if anyone knows.

Jon Towles
CTO, Synterex
(m) 978-609-5545

[VMware Certified Professional - Digital Workspace 2020][VMware Certified Professional - Desktop and Mobility 2020][cid:image003.jpg@01D65926.16A527C0] [cid:image004.png@01D65926.16A527C0]  [cid:image005.png@01D65926.16A527C0] [cid:image006.png@01D65926.16A527C0]


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

image001.png (8K) Download Attachment
image002.png (8K) Download Attachment
image003.jpg (4K) Download Attachment
image004.png (11K) Download Attachment
image005.png (12K) Download Attachment
image006.png (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Database Sync with Sub-Domains

Bryan Mesich
On Mon, Jul 13, 2020 at 06:58:39PM +0000, Jonathan Towles wrote:
> Hi All,

Hello,
 
> I wanted to ask a question that I have been unable to get clear information on.
>
> Is it technically or functionally possible to get a Kerberos ticket for someone in the sub-domain against the parent domain
>
> Example:
> User [hidden email]<mailto:[hidden email]> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.

It is unclear to me based on your example if you are using one or
multiple realms in your environment.  Either way, you would want to have
a properly configured krb5.conf that contains the Kerberos Realm(s) and
domain-to-realm mapping information.  A single realm might look like the
following:

[realms]
  SYNTEREC.COM = {
        kdc = dc01.synterex.com
        admin_server = dc01.synterex.com
  }

[domain_realm]
  .synterex.com = SYNTEREC.COM

The above configuration would cause the client to request tickets from
the SYNTEREC.COM realm if the domain name contains .synterex.com (which
covers all subdomains as well).  A multiple realm configuration might
look like the following:

[realms]
  BOSTON.SYNTEREC.COM = {
        kdc = dc01.boston.synterex.com
        admin_server = dc01.boston.synterex.com
  }
  ATLANTA.SYNTEREC.COM = {
        kdc = dc01.atlanta.synterex.com
        admin_server = dc01.atlants.synterex.com
  }

[domain_realm]
  .boston.synterex.com = BOSTON.SYNTEREC.COM
  .atlanta.synterex.com = ATLANTA.SYNTEREC.COM

In this case, each subdomain has its own kerberos REALM.  The
domain_realm section maps the domain to the correct realm.

It is also possible to request a service ticket from a different realm
from which you have a valid TGT.  A cross-realm trust would need to be
setup to allow this.  We have this setup between our MIT Kerberos realm
and Active Directory realm (works quite nicely).

"User is not found in the database" can often point at user mapping
issue between your Unix/AD environment.  In your example, you would
want to make sure your AD user account "jon" exists (or change the
userPrincipalName attribute in AD to match your Unix account).  You can
also try specifying the principal name manually using kinit:

        kinit [hidden email]

Based off your email address and the fact that the domains being used
in your example match, your AD user name could be jjtowles.  In that
case, make sure your krb5.conf is configured properly and try using
kinit with:

        kinit [hidden email]

If the above works, then you'll have to change your userPrincipalName
attribute in AD to match your Unix account, or change your Unix account
name to match your AD account.  Without making the change, using
Kerberos with ssh is useless due to the fact your principal name doesn't
match your Unix ID.

> I didn't think that it was, but I wanted to check and see if anyone knows.

Good luck!

Bryan

> Jon Towles
> CTO, Synterex
> (m) 978-609-5545
>
> [VMware Certified Professional - Digital Workspace 2020][VMware Certified Professional - Desktop and Mobility 2020][cid:image003.jpg@01D65926.16A527C0] [cid:image004.png@01D65926.16A527C0]  [cid:image005.png@01D65926.16A527C0] [cid:image006.png@01D65926.16A527C0]
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos


--
Bryan Mesich
Sr. System Administrator
DIGI-KEY ELECTRONICS
+1 218.681.8000 x16104

Powered by Linux 4.18.0-147.0.3.el8_1.x86_64
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos Database Sync with Sub-Domains

Jonathan Towles
Hi Bryan,

I think essentially the issue/question that comes up is what happens when you have say 5 domains, and you have people with the say domain name in those 5 domains.

So here's the use case:

Let's say I have 5 domains:

Synterex.com
Boston.synterex.com
Ny.synterex.com
Miami.synterex.com
Dallas.synterex.com

When I move to Office 365, I have to make my SMTP and UPN match. This will now make it so everyone in all 5 domains has a UPN ending in synterex.com

So, now I have an issue where you have user accounts in 5 domains all with the same REALM of SYNTEREX.COM.

In this situation, there's only two ways this can still work:

1. You move everyone to the synterex.com domain which can be a real nightmare
2. You find a way to point all authentication against the Synterex.com KDC and still be able to get tickets for users living in the sub-domains

I'm not sure if you can actually make #2 work or not. When I have tried, I get user not found in the database issues.

Jon Towles
CTO, Synterex
(m) 978-609-5545

 

-----Original Message-----
From: Bryan Mesich <[hidden email]>
Sent: Monday, July 13, 2020 11:01 PM
To: Jonathan Towles <[hidden email]>
Cc: [hidden email]
Subject: Re: Kerberos Database Sync with Sub-Domains

On Mon, Jul 13, 2020 at 06:58:39PM +0000, Jonathan Towles wrote:
> Hi All,

Hello,
 
> I wanted to ask a question that I have been unable to get clear information on.
>
> Is it technically or functionally possible to get a Kerberos ticket for someone in the sub-domain against the parent domain
>
> Example:
> User [hidden email]<mailto:[hidden email]> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.

It is unclear to me based on your example if you are using one or
multiple realms in your environment.  Either way, you would want to have
a properly configured krb5.conf that contains the Kerberos Realm(s) and
domain-to-realm mapping information.  A single realm might look like the
following:

[realms]
  SYNTEREC.COM = {
        kdc = dc01.synterex.com
        admin_server = dc01.synterex.com
  }

[domain_realm]
  .synterex.com = SYNTEREC.COM

The above configuration would cause the client to request tickets from
the SYNTEREC.COM realm if the domain name contains .synterex.com (which
covers all subdomains as well).  A multiple realm configuration might
look like the following:

[realms]
  BOSTON.SYNTEREC.COM = {
        kdc = dc01.boston.synterex.com
        admin_server = dc01.boston.synterex.com
  }
  ATLANTA.SYNTEREC.COM = {
        kdc = dc01.atlanta.synterex.com
        admin_server = dc01.atlants.synterex.com
  }

[domain_realm]
  .boston.synterex.com = BOSTON.SYNTEREC.COM
  .atlanta.synterex.com = ATLANTA.SYNTEREC.COM

In this case, each subdomain has its own kerberos REALM.  The
domain_realm section maps the domain to the correct realm.

It is also possible to request a service ticket from a different realm
from which you have a valid TGT.  A cross-realm trust would need to be
setup to allow this.  We have this setup between our MIT Kerberos realm
and Active Directory realm (works quite nicely).

"User is not found in the database" can often point at user mapping
issue between your Unix/AD environment.  In your example, you would
want to make sure your AD user account "jon" exists (or change the
userPrincipalName attribute in AD to match your Unix account).  You can
also try specifying the principal name manually using kinit:

        kinit [hidden email]

Based off your email address and the fact that the domains being used
in your example match, your AD user name could be jjtowles.  In that
case, make sure your krb5.conf is configured properly and try using
kinit with:

        kinit [hidden email]

If the above works, then you'll have to change your userPrincipalName
attribute in AD to match your Unix account, or change your Unix account
name to match your AD account.  Without making the change, using
Kerberos with ssh is useless due to the fact your principal name doesn't
match your Unix ID.

> I didn't think that it was, but I wanted to check and see if anyone knows.

Good luck!

Bryan

> Jon Towles
> CTO, Synterex
> (m) 978-609-5545
>
> [VMware Certified Professional - Digital Workspace 2020][VMware Certified Professional - Desktop and Mobility 2020][cid:image003.jpg@01D65926.16A527C0] [cid:image004.png@01D65926.16A527C0]  [cid:image005.png@01D65926.16A527C0] [cid:image006.png@01D65926.16A527C0]
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos


--
Bryan Mesich
Sr. System Administrator
DIGI-KEY ELECTRONICS
+1 218.681.8000 x16104

Powered by Linux 4.18.0-147.0.3.el8_1.x86_64

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Database Sync with Sub-Domains

Isaac Boukris
On Tue, Jul 14, 2020 at 2:23 PM Jonathan Towles <[hidden email]> wrote:

>
> Hi Bryan,
>
> I think essentially the issue/question that comes up is what happens when you have say 5 domains, and you have people with the say domain name in those 5 domains.
>
> So here's the use case:
>
> Let's say I have 5 domains:
>
> Synterex.com
> Boston.synterex.com
> Ny.synterex.com
> Miami.synterex.com
> Dallas.synterex.com
>
> When I move to Office 365, I have to make my SMTP and UPN match. This will now make it so everyone in all 5 domains has a UPN ending in synterex.com

You can use enterprise principal name to work with UPNs, e.g. kinit -E
[hidden email] (the realm will get canonicalized, and with -C the
name too).

> So, now I have an issue where you have user accounts in 5 domains all with the same REALM of SYNTEREX.COM.
>
> In this situation, there's only two ways this can still work:
>
> 1. You move everyone to the synterex.com domain which can be a real nightmare
> 2. You find a way to point all authentication against the Synterex.com KDC and still be able to get tickets for users living in the sub-domains
>
> I'm not sure if you can actually make #2 work or not. When I have tried, I get user not found in the database issues.
>
> Jon Towles
> CTO, Synterex
> (m) 978-609-5545
>
>
>
> -----Original Message-----
> From: Bryan Mesich <[hidden email]>
> Sent: Monday, July 13, 2020 11:01 PM
> To: Jonathan Towles <[hidden email]>
> Cc: [hidden email]
> Subject: Re: Kerberos Database Sync with Sub-Domains
>
> On Mon, Jul 13, 2020 at 06:58:39PM +0000, Jonathan Towles wrote:
> > Hi All,
>
> Hello,
>
> > I wanted to ask a question that I have been unable to get clear information on.
> >
> > Is it technically or functionally possible to get a Kerberos ticket for someone in the sub-domain against the parent domain
> >
> > Example:
> > User [hidden email]<mailto:[hidden email]> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.
>
> It is unclear to me based on your example if you are using one or
> multiple realms in your environment.  Either way, you would want to have
> a properly configured krb5.conf that contains the Kerberos Realm(s) and
> domain-to-realm mapping information.  A single realm might look like the
> following:
>
> [realms]
>   SYNTEREC.COM = {
>         kdc = dc01.synterex.com
>         admin_server = dc01.synterex.com
>   }
>
> [domain_realm]
>   .synterex.com = SYNTEREC.COM
>
> The above configuration would cause the client to request tickets from
> the SYNTEREC.COM realm if the domain name contains .synterex.com (which
> covers all subdomains as well).  A multiple realm configuration might
> look like the following:
>
> [realms]
>   BOSTON.SYNTEREC.COM = {
>         kdc = dc01.boston.synterex.com
>         admin_server = dc01.boston.synterex.com
>   }
>   ATLANTA.SYNTEREC.COM = {
>         kdc = dc01.atlanta.synterex.com
>         admin_server = dc01.atlants.synterex.com
>   }
>
> [domain_realm]
>   .boston.synterex.com = BOSTON.SYNTEREC.COM
>   .atlanta.synterex.com = ATLANTA.SYNTEREC.COM
>
> In this case, each subdomain has its own kerberos REALM.  The
> domain_realm section maps the domain to the correct realm.
>
> It is also possible to request a service ticket from a different realm
> from which you have a valid TGT.  A cross-realm trust would need to be
> setup to allow this.  We have this setup between our MIT Kerberos realm
> and Active Directory realm (works quite nicely).
>
> "User is not found in the database" can often point at user mapping
> issue between your Unix/AD environment.  In your example, you would
> want to make sure your AD user account "jon" exists (or change the
> userPrincipalName attribute in AD to match your Unix account).  You can
> also try specifying the principal name manually using kinit:
>
>         kinit [hidden email]
>
> Based off your email address and the fact that the domains being used
> in your example match, your AD user name could be jjtowles.  In that
> case, make sure your krb5.conf is configured properly and try using
> kinit with:
>
>         kinit [hidden email]
>
> If the above works, then you'll have to change your userPrincipalName
> attribute in AD to match your Unix account, or change your Unix account
> name to match your AD account.  Without making the change, using
> Kerberos with ssh is useless due to the fact your principal name doesn't
> match your Unix ID.
>
> > I didn't think that it was, but I wanted to check and see if anyone knows.
>
> Good luck!
>
> Bryan
>
> > Jon Towles
> > CTO, Synterex
> > (m) 978-609-5545
> >
> > [VMware Certified Professional - Digital Workspace 2020][VMware Certified Professional - Desktop and Mobility 2020][cid:image003.jpg@01D65926.16A527C0] [cid:image004.png@01D65926.16A527C0]  [cid:image005.png@01D65926.16A527C0] [cid:image006.png@01D65926.16A527C0]
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Bryan Mesich
> Sr. System Administrator
> DIGI-KEY ELECTRONICS
> +1 218.681.8000 x16104
>
> Powered by Linux 4.18.0-147.0.3.el8_1.x86_64
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos Database Sync with Sub-Domains

Jonathan Towles
So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?

That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?

Jon Towles
CTO, Synterex
(m) 978-609-5545

 

-----Original Message-----
From: Isaac Boukris <[hidden email]>
Sent: Tuesday, July 14, 2020 8:38 AM
To: Jonathan Towles <[hidden email]>
Cc: Bryan Mesich <[hidden email]>; [hidden email]
Subject: Re: Kerberos Database Sync with Sub-Domains

On Tue, Jul 14, 2020 at 2:23 PM Jonathan Towles <[hidden email]> wrote:

>
> Hi Bryan,
>
> I think essentially the issue/question that comes up is what happens when you have say 5 domains, and you have people with the say domain name in those 5 domains.
>
> So here's the use case:
>
> Let's say I have 5 domains:
>
> Synterex.com
> Boston.synterex.com
> Ny.synterex.com
> Miami.synterex.com
> Dallas.synterex.com
>
> When I move to Office 365, I have to make my SMTP and UPN match. This
> will now make it so everyone in all 5 domains has a UPN ending in
> synterex.com

You can use enterprise principal name to work with UPNs, e.g. kinit -E [hidden email] (the realm will get canonicalized, and with -C the name too).

> So, now I have an issue where you have user accounts in 5 domains all with the same REALM of SYNTEREX.COM.
>
> In this situation, there's only two ways this can still work:
>
> 1. You move everyone to the synterex.com domain which can be a real
> nightmare 2. You find a way to point all authentication against the
> Synterex.com KDC and still be able to get tickets for users living in
> the sub-domains
>
> I'm not sure if you can actually make #2 work or not. When I have tried, I get user not found in the database issues.
>
> Jon Towles
> CTO, Synterex
> (m) 978-609-5545
>
>
>
> -----Original Message-----
> From: Bryan Mesich <[hidden email]>
> Sent: Monday, July 13, 2020 11:01 PM
> To: Jonathan Towles <[hidden email]>
> Cc: [hidden email]
> Subject: Re: Kerberos Database Sync with Sub-Domains
>
> On Mon, Jul 13, 2020 at 06:58:39PM +0000, Jonathan Towles wrote:
> > Hi All,
>
> Hello,
>
> > I wanted to ask a question that I have been unable to get clear information on.
> >
> > Is it technically or functionally possible to get a Kerberos ticket
> > for someone in the sub-domain against the parent domain
> >
> > Example:
> > User [hidden email]<mailto:[hidden email]> wants to get a Kerberos ticket against dc01.synterex.com but will fail because that user is not found in the database on that Domain Controller.
>
> It is unclear to me based on your example if you are using one or
> multiple realms in your environment.  Either way, you would want to
> have a properly configured krb5.conf that contains the Kerberos
> Realm(s) and domain-to-realm mapping information.  A single realm
> might look like the
> following:
>
> [realms]
>   SYNTEREC.COM = {
>         kdc = dc01.synterex.com
>         admin_server = dc01.synterex.com
>   }
>
> [domain_realm]
>   .synterex.com = SYNTEREC.COM
>
> The above configuration would cause the client to request tickets from
> the SYNTEREC.COM realm if the domain name contains .synterex.com
> (which covers all subdomains as well).  A multiple realm configuration
> might look like the following:
>
> [realms]
>   BOSTON.SYNTEREC.COM = {
>         kdc = dc01.boston.synterex.com
>         admin_server = dc01.boston.synterex.com
>   }
>   ATLANTA.SYNTEREC.COM = {
>         kdc = dc01.atlanta.synterex.com
>         admin_server = dc01.atlants.synterex.com
>   }
>
> [domain_realm]
>   .boston.synterex.com = BOSTON.SYNTEREC.COM
>   .atlanta.synterex.com = ATLANTA.SYNTEREC.COM
>
> In this case, each subdomain has its own kerberos REALM.  The
> domain_realm section maps the domain to the correct realm.
>
> It is also possible to request a service ticket from a different realm
> from which you have a valid TGT.  A cross-realm trust would need to be
> setup to allow this.  We have this setup between our MIT Kerberos
> realm and Active Directory realm (works quite nicely).
>
> "User is not found in the database" can often point at user mapping
> issue between your Unix/AD environment.  In your example, you would
> want to make sure your AD user account "jon" exists (or change the
> userPrincipalName attribute in AD to match your Unix account).  You
> can also try specifying the principal name manually using kinit:
>
>         kinit [hidden email]
>
> Based off your email address and the fact that the domains being used
> in your example match, your AD user name could be jjtowles.  In that
> case, make sure your krb5.conf is configured properly and try using
> kinit with:
>
>         kinit [hidden email]
>
> If the above works, then you'll have to change your userPrincipalName
> attribute in AD to match your Unix account, or change your Unix
> account name to match your AD account.  Without making the change,
> using Kerberos with ssh is useless due to the fact your principal name
> doesn't match your Unix ID.
>
> > I didn't think that it was, but I wanted to check and see if anyone knows.
>
> Good luck!
>
> Bryan
>
> > Jon Towles
> > CTO, Synterex
> > (m) 978-609-5545
> >
> > [VMware Certified Professional - Digital Workspace 2020][VMware
> > Certified Professional - Desktop and Mobility
> > 2020][cid:image003.jpg@01D65926.16A527C0]
> > [cid:image004.png@01D65926.16A527C0]  
> > [cid:image005.png@01D65926.16A527C0]
> > [cid:image006.png@01D65926.16A527C0]
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Bryan Mesich
> Sr. System Administrator
> DIGI-KEY ELECTRONICS
> +1 218.681.8000 x16104
>
> Powered by Linux 4.18.0-147.0.3.el8_1.x86_64
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Database Sync with Sub-Domains

Isaac Boukris
On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles <[hidden email]> wrote:
>
> So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?

Client-referrals are used to locate the realm, see details in RFC 6806.

> That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?

For kinit, you just need to pass the '-E' flag, no conf involved.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos Database Sync with Sub-Domains

Jonathan Towles
I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.

I'm guessing they need to augment the code.

Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.

If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.

Jon Towles
CTO, Synterex
(m) 978-609-5545

 

-----Original Message-----
From: Isaac Boukris <[hidden email]>
Sent: Tuesday, July 14, 2020 9:35 AM
To: Jonathan Towles <[hidden email]>
Cc: Bryan Mesich <[hidden email]>; [hidden email]
Subject: Re: Kerberos Database Sync with Sub-Domains

On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles <[hidden email]> wrote:
>
> So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?

Client-referrals are used to locate the realm, see details in RFC 6806.

> That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?

For kinit, you just need to pass the '-E' flag, no conf involved.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Database Sync with Sub-Domains

Isaac Boukris
On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles <[hidden email]> wrote:
>
> I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.

Constrained Delegation (S4U2Proxy) is a way to get a service ticket,
but the client name is determined in a preceding step of getting an
initial ticket, which can be done in two ways (only), kinit (AS
request) or protocol-transition (S4U2Self), and they both support the
use of enterprise names (using client-referrals).

> I'm guessing they need to augment the code.

Could be, in recent krb5 libs you can make use of
GSS_KRB5_NT_ENTERPRISE_NAME in gssapi.

> Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.
>
> If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.

It should generally work with the UPNs (or samaccountname@realm).
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos Database Sync with Sub-Domains

Jonathan Towles
I got it to work if I reference the UPN in the command.

The application is doing AS-Requests.

I'm guessing that they need to change the code as that needs to be applied in the GSS Kerberos H file right?

Jon Towles
CTO, Synterex
(m) 978-609-5545

 

-----Original Message-----
From: Isaac Boukris <[hidden email]>
Sent: Tuesday, July 14, 2020 9:54 AM
To: Jonathan Towles <[hidden email]>
Cc: Bryan Mesich <[hidden email]>; [hidden email]
Subject: Re: Kerberos Database Sync with Sub-Domains

On Tue, Jul 14, 2020 at 3:37 PM Jonathan Towles <[hidden email]> wrote:
>
> I'm working with an application inside of a Docker container that uses GSS to do Kerberos Constrained Delegation.

Constrained Delegation (S4U2Proxy) is a way to get a service ticket, but the client name is determined in a preceding step of getting an initial ticket, which can be done in two ways (only), kinit (AS
request) or protocol-transition (S4U2Self), and they both support the use of enterprise names (using client-referrals).

> I'm guessing they need to augment the code.

Could be, in recent krb5 libs you can make use of GSS_KRB5_NT_ENTERPRISE_NAME in gssapi.

> Doing some testing via kinit, I have found that kinit -E only works if the account lives in the parent domain.
>
> If I try to do a kinit -E with their samaccountname or email address, it says they're not found if they are in a child domain.

It should generally work with the UPNs (or samaccountname@realm).

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Database Sync with Sub-Domains

Isaac Boukris
On Tue, Jul 14, 2020 at 3:55 PM Jonathan Towles <[hidden email]> wrote:
>
> I got it to work if I reference the UPN in the command.
>
> The application is doing AS-Requests.

Note that S4U2Self would also use AS-REQ for the client-referrals step
(when enterprise names are used), and then switch to TGS-REQ for the
actual S4U2Self request.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos