One server, two Kerberos realms
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.
How can I log in via SSH as either user with this setup?
It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).
I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.
I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.
I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.
Is it possible to log in via SSH against two different realms?
centos authentication kerberos
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
add a comment |Â
up vote
0
down vote
favorite
I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.
How can I log in via SSH as either user with this setup?
It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).
I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.
I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.
I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.
Is it possible to log in via SSH against two different realms?
centos authentication kerberos
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.
How can I log in via SSH as either user with this setup?
It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).
I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.
I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.
I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.
Is it possible to log in via SSH against two different realms?
centos authentication kerberos
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
I have a number of CentOS 7 servers which need to authenticate with two different Kerberos realms: A.EXAMPLE.COM and B.EXAMPLE.POOP. Most users exist in the one, a few in the other. I have them configured in /etc/krb5.conf. A.EXAMPLE.COM is set as the default realm. I can kinit with kinit INeverReallyKnow and kinit pooptyface@B.EXAMPLE.POOP. That works.
How can I log in via SSH as either user with this setup?
It seems SSH, PAM, and friends will only use the default realm. I tried using a k5login file on a user in the non-default realm but it had no effect (with k5login_authoritative set to true).
I am attempting to NOT use sssd as it has been the source of major issues over the past couple years. I feel that software is unusable in its current state. Please don't bother arguing the use of sssd.
I have little to no control over the realms and cannot do any cross-realm trust. The realms are both Active Directory, if it matters.
I cannot kinit on a local system and use gssapi as the workstations do not have access to the KDCs.
Is it possible to log in via SSH against two different realms?
centos authentication kerberos
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
asked Dec 22 '17 at 22:13
jhcvsdhdvfhsdf
564
564
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f412603%2fone-server-two-kerberos-realms%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
