2

I am using both Red Hat and Ubuntu, but I'll start with Ubuntu (18.04.6).

I want to authenticate with two KRB5 realms (not joined to AD); I'll call them REALM1 and REALM2. Some users are in REALM1, others are in REALM2. I configured krb5.conf and sssd.conf with both realms.
You have to select a default realm in krb5.conf, so I picked REALM1 at random.

If I use kinit, it will always check REALM1 but not REALM2. I guess I can live with that.

I set up SSSD; it doesn't ask for a default realm. I can log in with a REALM1 username, but not a REALM2 username. Looking at logs, it looks like it only tries the first realm.

I'd like a user to be able to just enter their username (without realm) and the system tries both realms. How can I configure this?

Here's how my sssd.conf is set up:

[sssd]
    services = nss, pam
    domains = REALM1, REALM2

[domain/REALM2]
    id_provider = proxy
    proxy_lib_name=files
    auth_provider = krb5
    krb5_realm = REALM2
    krb5_validate = false
    krb5_server = kdc1address

[domain/REALM1]
    id_provider = proxy
    proxy_lib_name=files
    auth_provider = krb5
    krb5_realm = REALM1
    krb5_validate = false
    krb5_server = kdc2address
[pam]
offline_credentials_expiration = 1
pam_cert_auth = true

And my krb5.conf

[libdefaults]
        default_realm = REALM1
        forwardable = true
        proxiable = true

[realms]
 REALM2 = {
  kdc = kdc1address
  admin_server = kdc1address
 }

 REALM1 = {
  kdc = kdc2address
  admin_server = kdc2address
 }

[domain_realm]
 .realm2 = REALM2
 realm2 = REALM2
 .realm1 = REALM1
 realm1 = REALM1

One solution is to set pam_sss "domains" option to restrict to a single domain, then add an identical line for the second domain.

auth    sufficient      pam_sss.so domains=REALM1 forward_pass
auth    sufficient      pam_sss.so domains=REALM2 forward_pass

This works on newer systems, but not on 18. I think my version of sssd (1.16.1) is too old. As a workaround, switching to pam_krb5 does work.

However, the domains setting in sssd.conf seems like it's specifically designed to check multiple domains, so I don't understand why it doesn't work.

Improve this question

1 Answer 1

Reset to default
4

SSSD 1.16.1 lacks full multi-realm support.

Use PAM with multiple pam_sss.so lines for each realm, or upgrade SSSD for proper multi-realm handling.

To make multi-realm work on SSSD 1.16.1 without upgrading, try setting up a "fallback" realm by adjusting the [domain] sections. Specifically, add fallback_homedir in SSSD or create two separate domains in PAM with fallback.

In krb5.conf, set up realm_fallback using [domain_realm]:

[domain_realm]

.realm1 = REALM1
.realm2 = REALM2
default_realm = REALM1

In sssd.conf, set a specific default domain but ensure proper [domain] sections are defined for both:

[sssd]
services = nss, pam
domains = REALM1, REALM2
default_domain_suffix = REALM1

[domain/REALM1]
id_provider = proxy
auth_provider = krb5
krb5_realm = REALM1
krb5_server = kdc1address

[domain/REALM2]
id_provider = proxy
auth_provider = krb5
krb5_realm = REALM2
krb5_server = kdc2address

Finally, try using PAM fallback with pam_krb5 instead of pam_sss:

auth sufficient pam_krb5.so use_first_pass realm=REALM1
auth sufficient pam_krb5.so use_first_pass realm=REALM2

This should enable cross-realm logins without forcing an upgrade.

Improve this answer
5
  • At the end of my original post, I already stated that I tried using multiple pam_sss for each realm and it did NOT work with 1.61.1, the domains option was ignored. Did you mean to say AND? upgrade AND use that option (which isnt an option for me)? Or is there a different configuration option I'm supposed to be using? Commented Sep 15, 2024 at 0:59
  • 1
    The only solution is to upgrade SSSD to a version that fully supports multi-realm, as 1.16.1 can't handle this configuration as expected. The work-around I've added to the solution isn't pretty. Commented Sep 15, 2024 at 2:10
  • I also already stated in my original post "As a workaround, switching to pam_krb5 does work." So I think the best answer is just "The only solution is to upgrade SSSD to a version that fully supports multi-realm, as 1.16.1 can't handle this configuration as expected" Do you happen to know which version adds support? Even 2.6.3 requires two lines of pam_sss the domains option. One would think it should just try all the domains listed in sssd.conf if they specifically allow specifying more than one in the conf. Commented Sep 15, 2024 at 13:01
  • I agree, and went through MIT, KTH and the vendors' documentation for hours, but I end up getting the same conclusion. If you want SSSD to try all domains without multiple pam_sss lines, this behavior is not supported. I'm searching for a script I had at work that did the trick, but it's about 10 years old. And this defeats what we're trying to accomplish codeberg.org/cgoslaw/sssd-multidomain/src/branch/main/… like this web.mit.edu/kerberos/krb5-latest/doc/index.html and even this www-local.pdc.kth.se/kth-krb/doc/kth-krb_toc.html Commented Sep 15, 2024 at 16:38
  • ok, at least I can stop wasting time trying to figure it out. Is there a downside to using two lines? at first I thought I might trigger a failed login every time but I don't think that would be the case since it is separate realms and I think it checks if the user exists first. Commented Sep 15, 2024 at 16:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.