One server, two Kerberos realms

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.



How can I log in via SSH as either user with this setup?



It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).



I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.



I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.



I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.



Is it possible to log in via SSH against two different realms?







share|improve this question
























    up vote
    0
    down vote

    favorite












    I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.



    How can I log in via SSH as either user with this setup?



    It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).



    I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.



    I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.



    I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.



    Is it possible to log in via SSH against two different realms?







    share|improve this question






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.



      How can I log in via SSH as either user with this setup?



      It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).



      I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.



      I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.



      I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.



      Is it possible to log in via SSH against two different realms?







      share|improve this question












      I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.



      How can I log in via SSH as either user with this setup?



      It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).



      I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.



      I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.



      I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.



      Is it possible to log in via SSH against two different realms?









      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 22 '17 at 22:13









      jhcvsdhdvfhsdf

      564




      564

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412603%2fone-server-two-kerberos-realms%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412603%2fone-server-two-kerberos-realms%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?