Cross-domain auth using Kerberos

Archives Ansible Project
1

Hi,
On a Linux server I want to access a Windows server from Windows domain sub.dnsdomain using an account from parent Windows domain dnsdomain. The account has admin permissions to that server and can login using RDP.

I have configured Kerberos realms for both domains on the Linux server. I can than get a Kerberos ticket using kinit user. I can access servers from dnsdomain. But I can not access the server from sub.dnsdomain.

[libdefaults]
default_realm = DNSDOMAIN
dns_lookup_realm = false
#ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4

The following krb5.conf variables are only for MIT Kerberos.

kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

The following libdefaults parameters are only for Heimdal Kerberos.

fcc-mit-ticketflags = true

[realms]
DNSDOMAIN = {
kdc = dc1.dnsdomain:88
kdc = dc2.dnsdomain:88
admin_server = dc1.dnsdomain:749
default_domain = dnsdomain
}
SUB.DNSDOMAIN = {
kdc = subdc1.sub.dnsdomain:88
kdc = subdc2.sub.dnsdomain:88
admin_server = subdc1.sub.dnsdomain:749
default_domain = sub.dnsdomain
}

[domain_realm]
.dnsdomain = DNSDOMAIN
dnsdomain = DNSDOMAIN
.sub.dnsdomain = SUB.DNSDOMAIN
sub.dnsdomain = SUB.DNSDOMAIN

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

Note: The Windows domain name differs from the DNS names. I’m not using it in Kerberos config.

Than I can do this:

$ kinit user
Password for user@DNSDOMAIN:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DNSDOMAIN

Valid starting Expires Service principal
07.08.2020 14:06:07 07.08.2020 14:16:00 krbtgt/DNSDOMAIN@DNSDOMAIN
renew until 10.08.2020 14:06:07
$ rpcclient server.dnsdomain -k
rpcclient $> srvinfo
XXXXXXX
platform_id : 500
os version : 6.3
server type : 0x801013
rpcclient $> quit
$ rpcclient subserver.sub.dnsdomain -k
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

If I try to connect via Ansible/WinRM to the server in subdomain I get the error:

Server not found in Kerberos database

How to get access to the server in subdomain using an account from parent domain?

2

OK, threw away Kerberos and switched to NTLM which works great.