Join Log in
Score:3
witchkinkofAngmar avatar Server

Cross domain authentication with transitive forest trust for linux

mx flag
witchkinkofAngmar

I have two domains -- one for dev and one for corp.

I can join a Windows machine to the dev domain and login as a corp user because of the transitive forest trust. I can join a Linux machine to the dev domain (with realm join or adcli join) but I can't login with ssh or console with a corp user account. Is there a solution for this without joining (using realm/adcli) the corp realm also? They don't want dev computer objects on the corp ad servers.

echo "password" | realm join --user=user --computer-ou='OU=Linux_Servers,DC=dev,DC=domain,DC=com' --os-name='Linux'  dev.domain.com

krb5

[libdefaults]
    default_realm       =           DEV.DOMAIN.COM    # domain specific parameter (full domain name)
    clockskew           =           300
    ticket_lifetime     =           1d
    forwardable         =           true
    proxiable           =           true
    dns_lookup_realm    =           true
    dns_lookup_kdc      =           true
   
 
   [realms]
        DEV.DOMAIN.COM = {
        kdc            =       adserver.domain.com   # domain specific parameter (domain controller name)
        admin_server   =       adserver.domain.com   # domain specific parameter (domain controller name)
        default_domain =       DEV.DOMAIN.COM         # domain specific parameter (full domain name)
        }

        CORP.DOMAIN.COM = {
        kdc            =       corpadserver.domain.com   # domain specific parameter (domain controller name)
        admin_server   =       corpadserver.domain.com   # domain specific parameter (domain controller name)
        default_domain =       CORP.DOMAIN.COM         # domain specific parameter (full domain name)
        }
 
[domain_realm]
        .dev.domain.com = DEV.DOMAIN.COM  # domain specific parameter (domain name for dns names)
        dev.domain.com = DEV.DOMAIN.COM   # domain specific parameter (domain name for dns names)

 
[appdefaults]
        pam = {
        ticket_lifetime         = 1d
        renew_lifetime          = 1d
        forwardable             = true
        proxiable               = false
        retain_after_close      = false
        minimum_uid             = 0
        debug                   = false

sssd

[sssd]
domains = dev.domain.com, corp.domain.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com

[nss]
homedir_substring = /home

[pam]

[domain/dev.domain.com]
ad_domain = dev.domain.com
krb5_realm = DEV.DOMAIN.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

kinit

[root@vm ~]# kinit [email protected]
Password for [email protected]:
kinit: KDC reply did not match expectations while getting initial credentials
[root@gbr7testvmjuly ~]# kinit localdevadmin
Password for [email protected]:
[root@gbr7testvmjuly ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/14/2023 10:44:11  07/14/2023 20:44:11  krbtgt/[email protected]
    renew until 07/14/2023 20:44:11
182
1 + 0
Score:1
witchkinkofAngmar avatar Server
mx flag
witchkinkofAngmar

EDIT #1 - Ubuntu update:

I ended up getting this to work for CentOS, RedHat, and Ubuntu. Ubuntu is similar but has some differences in package names and making the homedir.

Using samba, winbind, and net ads join:

dnf install samba samba-client  samba-winbind samba-winbind-clients oddjob oddjob-mkhomedir

/etc/samba/smb.conf:

[global]
        workgroup = DEV
        realm = DEV.DOMAIN.COM
        security = ads
        idmap config * : backend = autorid
        idmap config * : range = 100000-19999999
        idmap config * : rangesize = 1000000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind use default domain = false
        winbind offline logon = true
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 0

Join and stop/start winbind:

systemctl stop winbind
net ads join -U domainAdmin
systemctl enable winbind --now

Now I can ssh as a corp user to a dev machine but I have to specify the corp domain at login otherwise it defaults to local user and fails:

ssh -l [email protected] 10.1.100.100
[CORP\username@hostnametest ~]$ whoami
CORP\username
[CORP\username@hostnametest ~]$ pwd
/home/CORP/username

Is there a way to just default add the corp domain for login attempts or ideally, another samba or ssh config setting that handles it?

EDIT #1: Ubuntu is pretty much the same

apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules

Same smb.conf

Additionally, I added these edits in /etc/nsswitch.conf and /etc/pam.d/common-session

/etc/nsswitch.conf:

passwd:         files systemd winbind
group:          files systemd winbind

/etc/pam.d/common-session:

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

Join and restart winbind.

I didn't have to update DNS settings in netplan because it already had the right nameservers.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.