AD flaky cross-domain group resolution

[peet1]

Here’s the gist …

umontana.edu is the forest root.
umt.edu is a forest domain
gs.umt.edu is a child domain
missoula.campus is a forest domain

umt.edu contains all the departmental group management and faculty/staff users.
gs.umt.edu was created to take care of a FQDN forward/reverse DNS lookup and is essentially a container for machine accounts.
missoula.campus contains all the auto-created student accounts. There is no by-hand administration allowed in missoula.campus.

In 10.4.x I could bind to umt.edu (legacy) or gs.umt.edu (though for some reason I had to use a domain admin for gs.umt.edu). While bound to gs.umt.ed or umt.edu I could authenticate as users in umt.edu or missoula.campus. Group resolution worked between both domains … i.e. missoula.campus users that exist in umt.edu groups would resolve correctly and consistently. See examples below.

In 10.5.3 and above (anything before just wouldn’t work right at all) I *must* bind to the forest root (umontana.edu) to be able to authenticate both umt.edu and missoula.campus accounts. The issue however is that a missoula.campus user does not consistently resolve umt.edu group memberships. See examples below. Since my entire access control model is based on group memberships in umt.edu groups, this throws an enormous wrench in the works.

In 10.4.11 bound to gs.umt.edu my missoula.campus user returns this after issuing an id …

Code display: [code]j010-peet:/Users/MacAdministrator pm823892e$ whoami
pm823892e
j010-peet:/Users/MacAdministrator pm823892e$ id
uid=2087054781(pm823892e) gid=1162965876(MISSOULA\domain users) groups=1162965876(MISSOULA\domain users),
1721646871(UM\kaimin-staff), 589919297(UM\kaimin-everyone), 617388752(GS\peettestgroup), 386296534(UM\jour-wikis-acadmicit),
1819484444(GS\jour-everyoneprint), 580497234(UM\jour-students), 224635167(UM\jour-localadmin), 1533278465(UM\jour-web),
1440117765(UM\jour-everyone)
j010-peet:/Users/MacAdministrator pm823892e$[/code]

In 10.5.4 bound to umontana.edu my missoula.campus user returns this after issuing an id …

[code]bash-3.2$ whoami
pm823892e
bash-3.2$ id
uid=2087054781(pm823892e) gid=1162965876(MISSOULA\domain users) groups=1162965876(MISSOULA\domain users),
1030(AcademicIT),1033(jourwww)[/code]

Could anyone point me in the right direction to see why this is failing? It’s more than a bit frustrating. I’ve got 5 servers built from the same base image and running the exact same updates. All bound in the same domain. At this moment 3 and 4 are resolving group memberships correctly. 1,2 and 5 are not. Two days ago after restarting and rebinding them all they all were resolving correctly.

thanks.peet

[peet1]

Joel,

Thank so much for the quick response … Quick question which issue is the “dns_fallback = yes” supposed to fix. The cross-domain authentication or the group resolution?

I gave ‘er a whirl and I still have the same issue. I can successfully check out tickets from all the KDC that I have access to accounts … UMONTANA.EDU, UMT.EDU, MISSOULA.CAMPUS and GS.UMT.EDU.

I’m not 100% sure that the group resolution is a Kerberos issue. This is a shot in the dark, but is it at all possible that this has something to do with the trust setup?

Everything between the umt.edu (parent) and gs.umt.edu (child) seems to work every time. These two have a direct full Transitive trust between them since they’re parent-child. However, the trust relationship between missoula.campus and umt.edu is transitive, but only because it passes through the forest root umontana.edu.

thanks.peet

[peet1]

FYI … since I wasn’t sure which problem you were trying to address, I tried binding to umt.edu and changing dns_fallback = yes. The cross domain authentication still fails. I cannot auth a user from missoula.campus. If I sudo -s to root and su to [email protected] (or any varation of a ligit user), I just get a

su: unknown login: pm823892e

thanks.peet

[Macleod]

You need the kerberos capaths setup for non-hierarchical cross domain.
Dns lookups alone won’t help you here.
10.5 no longer builds the capaths out by default, although I’ve got my fingers crossed it will be fixed soon. (I do have a bug filed with Apple)
The easiest way to get the capath info is to grab a 10.4 box bound to AD, and extract the [capaths] section from the /Library/Preferences/edu.mit.kerberos file.
Drop this section alone onto a 10.5 box in a new /etc/krb5.conf file. Cross domain lookups should work.

You can learn a little more about the capaths here: http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html

–DH

[peet1]

Brilliant.

The advice is much appreciated. A quick follow up question … I had our AD guys create a two-way transitive shortcut trust between the missoula.campus (student accounts) and gs.umt.edu (computer accounts). This seems to take care of both our authentication issues as well as the flakey group resolution. Do you see any drawbacks to this end-run-type shortcut solution?

thanks.peet

[Author]

Posts