Ubuntu Kerberos Parent Domain Auth Fails

AAABL

2/28/23, 10:14 PM

We have an Ubuntu 18.4 server joined to the child domain. I'm able to ssh to the server with child domain account but not with parent domain account.

Here is my krb5.conf

[libdefaults]
        default_realm = DOMAIN.LOCAL
        ticket_lifetime = 24h #
        renew_lifetime = 7d
        rdns = false
        dns_lookup_kdc = true

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log

[realms]
CHILD.DOMAIN.LOCAL = {
kdc = DC.CHILD.DOMAIN.LOCAL
}

DOMAIN.LOCAL = {
kdc = DC.DOMAIN.LOCAL
}

getent generates the string for both child and parent domains. cross domain trust is enabled and I'm able to login to child domain with parent on windows servers but I get 'Access Denied' when trying to ssh to linux

klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- ---------------------------------------------
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 [email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 host/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]
   2 10/29/21 17:21:08 RestrictedKrbHost/[email protected]

0 + 0

active-directory

kerberos

windows-authentication

sssd

ubuntu-18.04

djdomi

2/28/23, 10:41 AM

please remove tge caps from the description, or do you cry for help always?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu Kerberos Parent Domain Auth Fails

TH: การตรวจสอบสิทธิ์โดเมนหลัก Ubuntu Kerberos ล้มเหลว

RO: Autentificarea domeniului părinte Ubuntu Kerberos eșuează

RU: Сбой аутентификации родительского домена Ubuntu Kerberos

VI: Xác thực tên miền gốc của Ubuntu Kerberos không thành công

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.