[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: please help with MS AD -> UNIX trust

Hi Douglas,

thanx a lot for replying me! Really!

You are abs. presize saying that I expect user once authenticated in
realm A (Active Directory) to ssh into realm B (Heimdal or MIT) without
supplying his password again based on trust definition between two

I however doubt a bit in what you saying that the problem is in mapping
of kerberos principal to unix account (if it is that what you mean). I
doubt in it, because in OpenSSH server log I see that 

"gssapi-with-mic failed".

At this stage sshd does not do anything with pam or similar. This makes
me to feel bad as I don't understand how "gssapi-with-mic" could fail if

1) user from realm A could obtain ticket form sshd in realm B via trust
definitions between realms A and B.

2) user can ssh into realm B if it logged into realm B directly.

I was looking in internet for information about possible difficulties
when trying to establish trust between UNIX KDC and AD. People write a
lot about salts and supported encription types. I am afraid I am
struggling with something similar ... I however could not find any
"ultimative" guide to what I am trying to do ...

Any suggestion?

Thanx a lot again, vadim tarassov.

On Thu, 2005-06-02 at 13:25 -0500, Douglas E. Engert wrote:
> vadim wrote:
> > Hallo everybody,
> > 
> > Could you please point stupid me to the right piece of documentation?
> > 
> > I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
> > OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
> > GSSAPI implementation from Heimdal and MIT with equal success -
> > everything worked just perfectly!
> > 
> > Now for some odd reasons I have to build pure UNIX realm and to
> > establish one-way trust, where UNIX realm trusts AD, and users once
> > logged into the AD realm, should be able also to logged into the UNIX
> > realm.
> You mean "users once logged into the AD realm, should be able also to
> logged into servers in the UNIX realm."
>              ^^^^^^^^^^^
> > 
> > I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
> > cases I have the same result with OpenSSH:
> > 
> > 1) assuming that AD realm is called A, and UNIX realm is called B,
> > client obtains TGT for realm A.
> > 2) trying to ssh into realm B client gets ticket 
> > krbtgt/B@A
> > 3) client gets ticket host/whatsoever@B
> > 
> > and at this moment GSSAPI fails to establish context between client and
> > server SSH.
> > 
> > Since both Heimdal and MIT behaves exactly in the same manner with
> > several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
> > with AD and Heimdal/MIT if not trying them to trust each other, I am
> > absolutely sure that I've missed right documentation ...
> > 
> > Can you please tell me where I could dig futher? 
> Look for auth_to_local in krb5.conf and .k5login file.
> These map a principal to a local unix acocunt. By default
> uses in the host realm are assumed to map to local acocunts.
> But you are now using cross realm.
> The host/whatsover@B needs to know that a foreign principal, u@A is
> allowed to use the local account u.
> > 
> > Thanx a lot and best regards, vadim tarassov.
> > 
vadim <vadim.tarassov@swissonline.ch>