#StackBounty: #active-directory #redhat #kerberos Kerberos authentication to root domain in Active Directory

Bounty: 50

I have an environment in Active Directory that is composed of a root and a child domain, let’s call them my.root.domain.com and root.domain.com

I have a RHEL7 server I’ve spun up which has no problem at all authenticating against the “my.root.domain.com” domain. I cannot, however, authenticate using an account in the “root.domain.com” domain. I can look up accounts using id in both domains:

id -a user1@my.root.domain.com

and

id -a user2@root.domain.com

both show my AD groups. As the root user, I can even “su – ” to any user in either domain (doesn’t require authentication). The problem arises when authentication happens. Trying to authenticate to user2@root.comain.com fails.

in smb.conf I have:

...
workgroup = MY
realm = MY.ROOT.DOMAIN.COM
security = ads
...

in /etc/krb5.conf I have:

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MY.ROOT.DOMAIN.COM
dns_lookup_kdc = true
[realms]
MY.ROOT.DOMAIN.COM = {
}
ROOT.DOMAIN.COM = {
}

[domain_realm]
my.root.domain.com = MY.ROOT.DOMAIN.COM
.my.root.domain.com = MY.ROOT.DOMAIN.COM
root.domain.com = ROOT.DOMAIN.COM
.root.domain.com = ROOT.DOMAIN.COM

A packet trace does reveal that when trying to authenticate as user2@root.domain.com, it sends a KRB query of:

CNameString: ROOT.DOMAIN.COMuser2
realm: MY.ROOT.DOMIAN.COM

I know I’m the village idiot when it comes to the AD stuff, but hoping someone has a good suggestion. I’m fairly certain my krb config is not quite what it should be.

Does anyone have any suggestions to utilize accounts from the domain “root.domain.com” domain to authenticate against?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.