Multiple Domain Support - No Common Forest

Elastic Stack Elasticsearch
1

Hey guys,

I'm looking to see if there's a solution for authentication users in two different domains that don't exist in the same forest, don't have a common root domain but have a two-way trust between them.

For example: I have a security group in example.com which contains users in other-domain.com. In every application I've used which supports Active Directory authentication, it has been able to authenticate other-domain.com users via the two-way trust with example.com, without needing to directly query other-domain.com domain controllers.

I've tried adding a second Active Directory realm in elasticsearch.yml but elastic dies 5 seconds after startup. I've tried using the recommended Global Catalog port configuration for the URL but I feel like the domain_name property (which is set to example.com) prevents lookups for my.user@other-domain.com or other-domain.com\my.user. It instantly fails authentication.

Any tips? Thanks!

2

Can you share the xpack.security.authc.realms chunk of your elasticsearch.yml when you define two AD realms?

3

Hey Mike,

Here's the config

xpack.security.authc:
 realms:
  native:
   type: native
   order: 0
  active_directory:
   type: active_directory
   order: 1
   domain_name: first-domain.com
   url: ldap://dc1.first-domain.com:3268, ldap://dc2.first-domain.com:3268
   load_balance:
    type: "round_robin"
   unmapped_groups_as_roles: false
  active_directory:
   type: active_directory
   order: 2
   domain_name: another-domain.local
   url: ldap://dc1.first-domain.com:3268, ldap://dc2.first-domain.com:3268
   load_balance:
    type: "round_robin"

My expectation here is that this config would permit my.user@another-domain.local to authenticate via the first-domain.com domain controllers. I've tried both the GC ports and 389 in the ldap URLs. If I comment-out the second AD config section, Elastic starts but I can't authentication with another-domain.local user accounts (instantly fails login attempt)

4

I think part of the problem is that you use the same name for both AD realms. Try naming them something like active_directoy_first and active_directory_second:

xpack.security.authc:
 realms:
  native:
   type: native
   order: 0
  active_directory:
   type: active_directory_first
   order: 1
   domain_name: first-domain.com
   url: ldap://dc1.first-domain.com:3268, ldap://dc2.first-domain.com:3268
   load_balance:
     type: "round_robin"
   unmapped_groups_as_roles: false
  active_directory_second:
   type: active_directory
   order: 2
   domain_name: another-domain.local
   url: ldap://dc1.first-domain.com:3268, ldap://dc2.first-domain.com:3268
   load_balance:
     type: "round_robin"
5

Hey Mike,

Thanks for pointing that out. I didn't realise it was a naming label.

I can now have two AD blocks in there and Elastic boots fine. Unfortunately, login attempts to another-domain.local still fail instantly. On the login page for Kabana i've tried the following username syntax:

  • another-domain.local\my_user
  • my_user@another-domain.local

Is there anywhere in Kabana or another place in ElasticSearch i need to configure? How can I debug failed logins?

6

please double check the url parameter for the active_directory_second, the config above has the same servers for both AD realms.

7

@Nobby, what error are you seeing in the logs? Also, have you gone through mapping the AD users/groups to Elasticsearch users/roles?

8

Hey jetnet,

This is intentionally the case.

9

Hey Mike,

My x-pack trial period has run out so there are billions of errors :sweat:. I should probably add a bit more detail for the scenario as well.

  • There is a Security Group in first-domain.com called ElasticGuys which contains a mix of first-domain.com and another-domain.local users
  • Elastic role_mapping.yml has been configured to allow ElasticGuys are super users
  • Users from first-domain.com that are in ElasticGuys can login to Kibana and do anything within the interface
  • Users from another-domain.local that are in ElasticGuys can't login to Kibana

Is there a requirement for role_mapping.yml to contain a security group defined in another-domain.local to both authentication and role authorisation? i.e. there needs to be a CN=ElasticGuys,OU=Groups,DC=first-domain,DC=com and CN=ElasticGuys,OU=Groups,DC=another-domain,DC=local?

When I use other systems with AD integration, it has always permitted authentication and authorisation for both domains via a single domain controllers groups and users catalog.

10

This is intentionally the case.

sorry, I started to read the topic from the third message :slight_smile:
I would start with verification if a user from another-domain can be resolved to ElasticGuys group, e.g. using the AdFind:

adfind -h dc1.first-domain.com -gc -f "userPrincipalName=my_user@another-domain.local" memberof

if this is the case, than you have to enable trace level and look at the log-files:

PUT /_cluster/settings
{"transient":{"logger.org.elasticsearch.xpack.security.authc": "trace"}}

and possibly turn the audit logging on:

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [logfile]

it's better to shutdown kibana, as it sends a lot of queries to ES constantly and it will be hard to read the logs, and to call ES directly, e.g.

curl -u my_user http://es-host:9200/_search

Note: my_user is from @another_domain.local

Hope, that helps!

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.