question

AndyDoran-3714 avatar image
0 Votes"
AndyDoran-3714 asked DaisyZhou-MSFT commented

kerberos from linux to Windows with domain trust where DCs are firewalled from the linux server

I have the following configuration: Windows domains DOMAINA and DOMAINB. A 2 way trust exists and I have an account in DOMAINA which is configured to be an admin in DOMAINB. This all works.

I have a linux box that uses kerberos to access DOMAINB using the account created in DOMAINA. This works perfectly fine if I configure /etc/krb5.conf to have:

 DOMAINA.LOCAL = {
          kdc = dc1.domaina.local
 }
 DOMAINB.LOCAL = {
          kdc = dc1.domainb.local
 }

But this needs both DOMAINA and DOMAINB DCs to be accessable to the linux box. In this situation, only the DC for DOMAINA is visible to the linux box. There are servers in DOMAINB that are visible to the linux box, but the DC for DOMAINB is NOT visible to the linux box.

The DCs from both domains can see each other

Can I configure kerberos on the linux box to only require access to the domain that has the account I want to use, and not to have to contact the DC in the domain where the account will be used?

windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AndyDoran-3714,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered AndyDoran-3714 commented

Hello @AndyDoran-3714,

Thank you for posting here.

Based on the description "Can I configure kerberos on the linux box to only require access to the domain that has the account I want to use, and not to have to contact the DC in the domain where the account will be used?", wo do not understand it clearly.

Here are general suggestions:

1.Please make sure all DNS can resolve each other.

2.Please make sure all ports that should be open are open.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DaisyZhou-MSFT

As the post says - in this situation, the DC for the domain "DOMAINB" are deliberately inaccessible to the linux server that is using kerberos. The DCs for "DOMAINA" are accessible. What I was asking is whether there is a way to use an account in DOMAINA to access the servers in DOMAINB in this scenario.

All servers in DOMAINA and DOMAINB can see each other including DCs and member servers.

It seems that it is a requirement that for kerberos to authenticate from a linux server, the linux server must be able to communicate with the DCs in both domains.

0 Votes 0 ·
GaryNebbett avatar image
0 Votes"
GaryNebbett answered AndyDoran-3714 commented

Hello @AndyDoran-3714,

The Linux client needs access to Key Distribution Centres (KDCs) in both domains. Typically this means that TCP and UDP access to the Kerberos port (88) of KDCs in each domain should be allowed.

There might be some possibility of using a Kerberos "proxy" of some sort (perhaps Kerberos over HTTPS), but that does not seem appropriate for your scenario.

Gary

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GaryNebbett - I have seen that ther is "kerberos proxy" but I don;t know hpw to configure that. I wasn;t sure if that was just going to take me down a blind alley or not.

As far as I can see, there is no way for this scenario to work unless the linux system using kerberos can access the DCs for both domains. This is actually someone else's environment and I am not sure why it is OK for the member servers in DOMAINB to be accessible to thee linux system, but not the Domain Controllers from that domain. It's not simply that the AD ports are firewalled off, the DCs in DOMAINB cannot be contacted at all from linux.

Looks like the answer is going too be "give access to those. DCs"...

0 Votes 0 ·

Hello @AndyDoran-3714,

Would it be possible to use NTLM instead of Kerberos? There would be no need for the Linux system to have access to a KDC/DC in the target domain (DOMAINB) in that case - the server would however have to be able communicate with a DC in DOMAINA (where the Linux account "resides", to verify the NTLM challenge/response interactions with the Linux system).

Gary

0 Votes 0 ·

@GaryNebbett - tied in to kerberos unfortunately...

0 Votes 0 ·
Show more comments