This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 74%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
I have the following configuration: Windows domains DOMAINA and DOMAINB. A 2 way trust exists and I have an account in DOMAINA which is configured to be an admin in DOMAINB. This all works.
I have a linux box that uses kerberos to access DOMAINB using the account created in DOMAINA. This works perfectly fine if I configure /etc/krb5.conf to have:
DOMAINA.LOCAL = {
kdc = dc1.domaina.local
}
DOMAINB.LOCAL = {
kdc = dc1.domainb.local
}
But this needs both DOMAINA and DOMAINB DCs to be accessable to the linux box. In this situation, only the DC for DOMAINA is visible to the linux box. There are servers in DOMAINB that are visible to the linux box, but the DC for DOMAINB is NOT visible to the linux box.
The DCs from both domains can see each other
Can I configure kerberos on the linux box to only require access to the domain that has the account I want to use, and not to have to contact the DC in the domain where the account will be used?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Andy Doran ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Hello @Andy Doran ,
Thank you for posting here.
Based on the description "Can I configure kerberos on the linux box to only require access to the domain that has the account I want to use, and not to have to contact the DC in the domain where the account will be used?", wo do not understand it clearly.
Here are general suggestions:
1.Please make sure all DNS can resolve each other.
2.Please make sure all ports that should be open are open.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
As the post says - in this situation, the DC for the domain "DOMAINB" are deliberately inaccessible to the linux server that is using kerberos. The DCs for "DOMAINA" are accessible. What I was asking is whether there is a way to use an account in DOMAINA to access the servers in DOMAINB in this scenario.
All servers in DOMAINA and DOMAINB can see each other including DCs and member servers.
It seems that it is a requirement that for kerberos to authenticate from a linux server, the linux server must be able to communicate with the DCs in both domains.
Hello @Andy Doran ,
The Linux client needs access to Key Distribution Centres (KDCs) in both domains. Typically this means that TCP and UDP access to the Kerberos port (88) of KDCs in each domain should be allowed.
There might be some possibility of using a Kerberos "proxy" of some sort (perhaps Kerberos over HTTPS), but that does not seem appropriate for your scenario.
Gary
@Gary Nebbett - I have seen that ther is "kerberos proxy" but I don;t know hpw to configure that. I wasn;t sure if that was just going to take me down a blind alley or not.
As far as I can see, there is no way for this scenario to work unless the linux system using kerberos can access the DCs for both domains. This is actually someone else's environment and I am not sure why it is OK for the member servers in DOMAINB to be accessible to thee linux system, but not the Domain Controllers from that domain. It's not simply that the AD ports are firewalled off, the DCs in DOMAINB cannot be contacted at all from linux.
Looks like the answer is going too be "give access to those. DCs"...
Hello @Andy Doran ,
Would it be possible to use NTLM instead of Kerberos? There would be no need for the Linux system to have access to a KDC/DC in the target domain (DOMAINB) in that case - the server would however have to be able communicate with a DC in DOMAINA (where the Linux account "resides", to verify the NTLM challenge/response interactions with the Linux system).
Gary
@Gary Nebbett - tied in to kerberos unfortunately...
Hello @Andy Doran ,
Something has got to give or you are stymied.
To recap, the possibilities that I can think of include:
Gary
using Python and winrm - it all works (as you suggest) if the transport is ntlm. But change the transport to kerberos and it will no longer work.
Using ntlm is unlikely to be an option here - I think the only way forward is allowing kerberos through to the DC in DOMAINB. Thanks for your patience :)