'linux kerberos auth to two domains
I need auth to two independet domains on my CentOS7 via krb5. It is possible? For example when I use login name1 who is in domain1 or when I use login2 who is in domain2. Logins are unique and are not repeated in domains. My example conf file is below, I can auth only to default_realm
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN1.COM
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
DOMAIN1.COM = {
kdc = adc.domain1.com
admin_server = adc.domain1.com
}
DOMAIN2.COM = {
kdc = adc.domain2.com
kdc = adc.domain2.com
admin_server = 192.168.3.24:749
}
[domain_realm]
domain1.com = DOMAIN1.COM
.domain1.com = DOMAIN1.COM
domain2.com = DOMAIN2.COM
.domain2.com = DOMAIN2.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Solution 1:[1]
You can have only one "default_realm" in your config. An you are not supposed to have multiple identities at the same time (whether in the same or different realms).
A. For client/server applications that have to propagate the client identity, or impersonate the client, you have to manage that in your code (e.g. doAs() in Java) and it's not trivial
B. For running separate apps with separate identities under the same Linux account, you have to cheat with multiple krb5.conf and multiple credential caches, by setting env vars KRB5_CONFIG and KRB5CCNAME for each app
Solution 2:[2]
I think what you actually want is Trust between the two domains.
11.5.1. A Trust Relationship A trust means that the users within one realm are trusted to access the resources in another domain as if they belonged to that realm. This is done by creating a shared key for a single principal that is held in common by both domains.
This sounds like it would solve your issue.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Samson Scharfrichter |
| Solution 2 | Matt Andruff |