Ubuntu
krb5 package

  1. Bug #1988144
  2. Comment #2

Comment 2 for bug 1988144

Revision history for this message
Hajo Locke (hajo-locke) wrote :

Hello Sergio,

thanks for your help.

I can do that. I will explain a step by step procedure for my setup. Also i attach a file with anonymised krb5.conf, realmd.conf and sssd.conf

We have a ActiveDirectory Domain which is controlled by multiple Domaincontrollers. We attach some of our Linuxserver to AD to control by AD-Group who can access and sudo on this linuxmachines. In my conf files the domain is simple called domain.de|DOMAIN.DE

- starting point is a fresh installed Ubuntu 18.04 or 22.04 LTS with a lokal admin. this lokal admin is used to initiate the AD Connection. Basically i followed this tutorial: https://schroeffu.ch/2019/09/linux-active-directory-ldap-ssh-login-mit-sssd-und-realmd/

- Installation:
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli

- please see attached krb5.conf, realmd.conf

- now i get a tgt with kinit using my AD-Domainadmincredentials
kinit <email address hidden>

- joining Domain
realm --verbose join DOMAIN.DE -U <email address hidden>

- at this point we are part of domain and after domainsync every user in group LinuxAdmins can login by ssh. making sudo is allowed by a config in /etc/sudoers.d/ which contains
%LinuxAdmins ALL=(ALL:ALL) ALL

Now i use a unprivileged domainuser which is part of AD-group LinuxAdmins
For fast login i use a key-pair for this user to login as unprivileged user. So i log in by ssh-keys and do a "sudo -i" to stay permanent root. Now sssd works and checks my AD-Data/Passwort. iam allowed to do sudo and now iam root user. klist now shows a valid tgt and klist -ekt shows valid KVNO, Timestamp and Principal

Now i do the same on Ubuntu 22, all steps/configs identical except a line in sssd.conf (see comment in first section) because services use other startup.
On ubuntu 22 i use my unprivilged user to login by ssh-keys then doing "sudo -i" and klist says:
klist: No credentials cache found (filename: /tmp/krb5cc_0)
a file /tmp/krb5cc_0 is not existent but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivilged username but not used by klist. May be the problem is in the sudo environment.

In Ubuntu 22 i see a valid tgt by klist only if i do every login by hand and dont use a ssh key. but this was working in ubuntu 18 and i liked the way, because i hop on a lot of servers every day and first login by ssh-key is very comfy.
May be this is only a small bug in this particular case, but i want to make sure that my services still work after some time, because the existing keytab can used for other purposes like authentication by apache-webserver too and i dont want them to be harmed by this issue.

Thanks for your help,
Hans