[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: please help with MS AD -> UNIX trust

To: vadim <vadim.tarassov@swissonline.ch>
Subject: Re: please help with MS AD -> UNIX trust
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 03 Jun 2005 09:17:09 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <1117742391.4045.38.camel@localhost.localdomain>
References: <1117733011.4045.22.camel@localhost.localdomain> <429F4F33.60902@anl.gov> <1117742391.4045.38.camel@localhost.localdomain>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



vadim wrote:
> Hi Douglas,
> 
> thanx a lot for replying me! Really!
> 
> You are abs. presize saying that I expect user once authenticated in
> realm A (Active Directory) to ssh into realm B (Heimdal or MIT) without
> supplying his password again based on trust definition between two
> realms.
> 
> I however doubt a bit in what you saying that the problem is in mapping
> of kerberos principal to unix account (if it is that what you mean). I
> doubt in it, because in OpenSSH server log I see that 
> 
> "gssapi-with-mic failed".

What else does it say.

> 
> At this stage sshd does not do anything with pam or similar. This makes
> me to feel bad as I don't understand how "gssapi-with-mic" could fail if

No, but the ssh_gssapi_krb5_userok in gss-serv-krb5.c calls the krb5_kuserok
routine that checks if the "client" (u@realm) is allowed to login  and
use local account "name".

PAM is not involved with the authentication when GSSAPI is used.
PAM is called later for a session which can be used to get an AFS token
using the delegated redentials, i.e. forwarded kerberos tickets.

> 
> 1) user from realm A could obtain ticket form sshd in realm B via trust
> definitions between realms A and B.
> 

In this case the user u@A wold have a TGT for his own realm
   krbtgt/A@A
This would be used to obtain a cross realm ticket from realm A for realm B:
   krbtgt/B@A
This is then used with realm B to get a service ticket for the host in realm B
   host/<FQDN>@B
This is then used by the GSSAPI to authenticate.


So you problem could be in how the cross realm is setup, i.e. if
the keys dont match the krbtgt/B@A might not be accepted by B.

If you look at the logs for the realm B KDCs does it issue the
ticket host/<FQDN>@B to user U@A ?


Or it could be the krb5_kuserok failing as the .k5login is not
allowing it.

> 2) user can ssh into realm B if it logged into realm B directly.
> 
> I was looking in internet for information about possible difficulties
> when trying to establish trust between UNIX KDC and AD. People write a
> lot about salts and supported encription types. I am afraid I am
> struggling with something similar ... I however could not find any
> "ultimative" guide to what I am trying to do ...

salts are used in the string_to_key functions when generating a
key from a password. This might be a problem depending on how
you setup the cross realm trust if you did it by typing in
a password on both sides. But See:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

This is the ultimate guide. It still applies to W2003. The ktpass in 2003
has more options.


> Any suggestion?
> 
> Thanx a lot again, vadim tarassov.
> 
> On Thu, 2005-06-02 at 13:25 -0500, Douglas E. Engert wrote:
> 
>>vadim wrote:
>>
>>
>>>Hallo everybody,
>>>
>>>Could you please point stupid me to the right piece of documentation?
>>>
>>>I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
>>>OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
>>>GSSAPI implementation from Heimdal and MIT with equal success -
>>>everything worked just perfectly!
>>>
>>>Now for some odd reasons I have to build pure UNIX realm and to
>>>establish one-way trust, where UNIX realm trusts AD, and users once
>>>logged into the AD realm, should be able also to logged into the UNIX
>>>realm.
>>
>>You mean "users once logged into the AD realm, should be able also to
>>logged into servers in the UNIX realm."
>>             ^^^^^^^^^^^
>>
>>>I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
>>>cases I have the same result with OpenSSH:
>>>
>>>1) assuming that AD realm is called A, and UNIX realm is called B,
>>>client obtains TGT for realm A.
>>>2) trying to ssh into realm B client gets ticket 
>>>krbtgt/B@A
>>>3) client gets ticket host/whatsoever@B
>>>
>>>and at this moment GSSAPI fails to establish context between client and
>>>server SSH.
>>>
>>>Since both Heimdal and MIT behaves exactly in the same manner with
>>>several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
>>>with AD and Heimdal/MIT if not trying them to trust each other, I am
>>>absolutely sure that I've missed right documentation ...
>>>
>>>Can you please tell me where I could dig futher? 
>>
>>
>>Look for auth_to_local in krb5.conf and .k5login file.
>>These map a principal to a local unix acocunt. By default
>>uses in the host realm are assumed to map to local acocunts.
>>But you are now using cross realm.
>>
>>The host/whatsover@B needs to know that a foreign principal, u@A is
>>allowed to use the local account u.
>>
>>
>>>Thanx a lot and best regards, vadim tarassov.
>>>
>>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: please help with MS AD -> UNIX trust
  - From: vadim <vadim.tarassov@swissonline.ch>

References:
- please help with MS AD -> UNIX trust
  - From: vadim <vadim.tarassov@swissonline.ch>
- Re: please help with MS AD -> UNIX trust
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: please help with MS AD -> UNIX trust
  - From: vadim <vadim.tarassov@swissonline.ch>

Prev by Date: 0.7rc2 with mod_auth_kerb 5 rc6
Next by Date: PKINIT supported in heimdal 0.7?
Prev by thread: Re: please help with MS AD -> UNIX trust
Next by thread: Re: please help with MS AD -> UNIX trust
Index(es):
- Date
- Thread