Intention
I want to set up 2 Kerberos realms where one can authenticate the users in the other.
Current Setup
I have 2 Kerberos Servers (ad.somedomain.com
and kerb.foo.bar
)
I have my users on kerb.foo.bar
User |
---|
user1 |
alice |
bob |
I can kinit user1@KERB.FOO.BAR
, alice@KERB.FOO.BAR
and bob@KERB.FOO.BAR
and get tgt for all of them when I klist
.
I want
I want to use the AD.SOMEDOMAIN.COM
as a sub realm or the ad.somedomain.com
as an intermediate server.
I want to be able to kinit user1@AD.SOMEDOMAIN.COM
, alice@AD.SOMEDOMAIN.COM
or bob@AD.SOMEDOMAIN.COM
and have it grant tickets and authenticate.
ad.somedomain.com ←→ kerb.foo.bar
↑
user1@ad.somedomain.com
Clarification
I am unsure of how to:
Set up the trust relationship between
ad.somedomain.com
andkerb.foo.bar
How to setup the users in such a way to allow what I want to accomplish
How to set up the client
krb5.conf
to properly use this setup.(Optional) Is there a difference in setting this up as a "one-way" trust?
I don't think I need this relationship to happen in reverse:
Where I have users inad.somedomain.com
that I want authenticated inkerb.foo.bar
What I have done
I have looked at this part of the MIT Documentation on Kerberos but I must be doing something wrong.
It might be that my krb5.conf
is set up incorrectly or that I have my [capaths]
wrong.
krb5.conf
[libdefaults]
forwardable = true
default_realm = KERB.FOO.BAR
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
KERB.FOO.BAR = {
kdc = kerb.foo.bar
admin_server = kerb.foo.bar
}
AD.SOMEDOMAIN.COM = {
kdc = ad.somedomain.com
admin_server = ad.somedomain.com
}
[domain_realm]
.ad.somedomain.com = AD.SOMEDOMAIN.COM
ad.somedomain.com = AD.SOMEDOMAIN.COM
.kerb.foo.bar = KERB.FOO.BAR
kerb.foo.bar = KERB.FOO.BAR
[capaths]
AD.SOMEDOMAIN.COM = {
KERB.FOO.BAR = .
}