Cross-domain auth using Kerberos
21 views
Skip to first unread message
Michael Richter
Aug 10, 2020, 3:42:41 AM8/10/20
to Ansible Project
Hi,
On a Linux server I want to access a Windows server from Windows domain sub.dnsdomain using an account from parent Windows domain dnsdomain. The account has admin permissions to that server and can login using RDP.
I have configured Kerberos realms for both domains on the Linux server. I can than get a Kerberos ticket using kinit user. I can access servers from dnsdomain. But I can not access the server from sub.dnsdomain.
[libdefaults]
default_realm = DNSDOMAIN
dns_lookup_realm = false
#ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DNSDOMAIN = {
kdc = dc1.dnsdomain:88
kdc = dc2.dnsdomain:88
admin_server = dc1.dnsdomain:749
default_domain = dnsdomain
}
SUB.DNSDOMAIN = {
kdc = subdc1.sub.dnsdomain:88
kdc = subdc2.sub.dnsdomain:88
admin_server = subdc1.sub.dnsdomain:749
default_domain = sub.dnsdomain
}
[domain_realm]
.dnsdomain = DNSDOMAIN
dnsdomain = DNSDOMAIN
.sub.dnsdomain = SUB.DNSDOMAIN
sub.dnsdomain = SUB.DNSDOMAIN
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
Note: The Windows domain name differs from the DNS names. I'm not using it in Kerberos config.
Than I can do this:
$ kinit user
Password for user@DNSDOMAIN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DNSDOMAIN
Valid starting Expires Service principal
07.08.2020 14:06:07 07.08.2020 14:16:00 krbtgt/DNSDOMAIN@DNSDOMAIN
renew until 10.08.2020 14:06:07
$ rpcclient server.dnsdomain -k
rpcclient $> srvinfo
XXXXXXX
platform_id : 500
os version : 6.3
server type : 0x801013
rpcclient $> quit
$ rpcclient subserver.sub.dnsdomain -k
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
If I try to connect via Ansible/WinRM to the server in subdomain I get the error:
Server not found in Kerberos database
How to get access to the server in subdomain using an account from parent domain?
On a Linux server I want to access a Windows server from Windows domain sub.dnsdomain using an account from parent Windows domain dnsdomain. The account has admin permissions to that server and can login using RDP.
I have configured Kerberos realms for both domains on the Linux server. I can than get a Kerberos ticket using kinit user. I can access servers from dnsdomain. But I can not access the server from sub.dnsdomain.
[libdefaults]
default_realm = DNSDOMAIN
dns_lookup_realm = false
#ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DNSDOMAIN = {
kdc = dc1.dnsdomain:88
kdc = dc2.dnsdomain:88
admin_server = dc1.dnsdomain:749
default_domain = dnsdomain
}
SUB.DNSDOMAIN = {
kdc = subdc1.sub.dnsdomain:88
kdc = subdc2.sub.dnsdomain:88
admin_server = subdc1.sub.dnsdomain:749
default_domain = sub.dnsdomain
}
[domain_realm]
.dnsdomain = DNSDOMAIN
dnsdomain = DNSDOMAIN
.sub.dnsdomain = SUB.DNSDOMAIN
sub.dnsdomain = SUB.DNSDOMAIN
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
Note: The Windows domain name differs from the DNS names. I'm not using it in Kerberos config.
Than I can do this:
$ kinit user
Password for user@DNSDOMAIN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DNSDOMAIN
Valid starting Expires Service principal
07.08.2020 14:06:07 07.08.2020 14:16:00 krbtgt/DNSDOMAIN@DNSDOMAIN
renew until 10.08.2020 14:06:07
$ rpcclient server.dnsdomain -k
rpcclient $> srvinfo
XXXXXXX
platform_id : 500
os version : 6.3
server type : 0x801013
rpcclient $> quit
$ rpcclient subserver.sub.dnsdomain -k
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
If I try to connect via Ansible/WinRM to the server in subdomain I get the error:
Server not found in Kerberos database
How to get access to the server in subdomain using an account from parent domain?
Michael Richter
Aug 18, 2020, 6:47:19 AM8/18/20
to Ansible Project
OK, threw away Kerberos and switched to NTLM which works great.
Reply all
Reply to author
Forward
0 new messages