SSSD/Kerberos/LDAP Authentication

From UNIX Systems Administration
Jump to: navigation, search

Install Required Packages

  1. Install the following packages.
    1. RHEL6:
      1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
    2. RHEL7:
      1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
    3. UBUNTU:
      1. $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules

Configure Kerberos

  1. Gather the list of KDCs for the realm, the KDCs are bold italic.
    1. # nslookup -type=SRV _kerberos._tcp.<domain.com>
      1. Output of previous command:
        Server: <ip address>
        Address: <ip address>#53

        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc1.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc2.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc3.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc4.domain.com>.
  2. Create a backup of the /etc/krb5.conf file.
    1. # cp -p /etc/krb5.conf{,.bak}
    2. Modify the /etc/krb5.conf file as follows, changes are bold italic.
      1. [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log

        [libdefaults]
         default_realm = <DOMAIN.COM>
         dns_lookup_realm = false
         dns_lookup_kdc = false
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true

        [realms]
         <DOMAIN.COM> = {
          kdc = dc1.<DOMAIN.COM>
          kdc = dc2.<DOMAIN.COM>
          kdc = dc3.<DOMAIN.COM>
          kdc = dc4.<DOMAIN.COM>
          admin_server = <DOMAIN.COM>
        }

        [domain_realm]
         .<domain.com> = <DOMAIN.COM>
         <domain.com> = <DOMAIN.COM>

Configure Samba

  1. Create a backup of the /etc/samba/smb.conf file.
    1. # cp -p /etc/samba/smb.conf{,.bak}
  2. Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
    1. [global]
             workgroup = <DOMAIN>
      ;      server string = Samba Server Version %v
              .
              .
      ;      security = user
      ;      passdb backend = tdbsam
              .
              .
             client signing = yes
             client use spnego = yes
             kerberos method = secrets and keytab
             security = ads
             passdb backend = tdbsam
             realm = <DOMAIN.COM>
              .
              .
      ;      load printers = yes
      ;      cups options = raw
              .
              .
      ;[printers]
      ;      comment = All Printers
      ;      path = /var/spool/samba
      ;      browseable = no
      ;      guest ok = no
      ;      writable = no
      ;      printable = yes
  3. Verify the Samba configuration.
    1. # testparm
  4. The output should be similar to
    1. [global]
             workgroup = <DOMAIN>
             realm = <DOMAIN.COM>
             security = ADS
             kerberos method = secrets and keytab
             log file = /var/log/samba/log.%m
             max log size = 50
             client signing = required
             idmap config * : backend = tdb
             
      [homes]
             comment = Home Directories
             read only = No
             browseable = No

Kerberos Ticket

  1. Obtain and verify a new ticket using the new Kerberos configuration.
    1. # kinit <admin account>
      1. Enter the password.
  2. Verify the ticket
    1. ;# klist
      1. The output should be similar to:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <admin account>@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Register Server with Active Directory

  1. Join AD and obtain a keytab
    1. # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
  2. Verify the keytab
    1. # klist -k
      1. The output should be similar to:
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
        ---- --------------------------------------------------------------------------
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
  3. Obtain a Kerberos ticket using keytab in capitals.
    1. kinit -k <server name>$
  4. Verify the new default principal, it will have changed from <admin account> to <server name>
    1. # klist
      1. The output should be similar to, note the output in bold italic:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <SERVERNAME>$@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Verify LDAP

  1. Verify that LDAP returns the sAMAccountNames
    1. # ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName

Configure SSSD Authentication

  1. RHEL6 & RHEL7: Configure pam and nsswitch.
    1. # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
    2. Note: this may start the oddjobd daemon.
  2. UBUNTU: The install of the packages will set this information, nothing more is needed.

Enable oddjobd service

  1. RHEL6: Enable startup on boot
    1. # chkconfig oddjobd on
  2. RHEL7: Enable startup on boot
    1. # systemctl enable oddjobd.service

SSSD configuration

  1. Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
    1. # cp -p /etc/sssd/sssd.conf{,.bak}
  2. Create the configuration file as follows:
#RHEL6: Uncomment the following lines:
#[sssd] 
#config_file_version = 2 
#debug_level = 0 
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam
#reconnection_retries = 3

#RHEL7: Uncomment the following lines:
#[sssd] 
#config_file_version = 2 
#debug_level = 0 
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam, pac
#reconnection_retries = 3

[domain/default]
ldap_referrals = false

#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 500
#max_id = 999
#id_provider = local
#auth_provider = local

#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

#UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

[domain/<domain.com>]
dns_discovery_domain = <domain.com> 
id_provider = ad
auth_provider = ad
access_provider = ad
## Only uncomment the next line if logon is slow.
##ignore_group_members = true
		
# Allow Domain Admins
ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)

default_shell = /bin/bash
override_homedir = /home/%d/%u
		
# Permits offline logins:
cache_credentials = true
		
# Use when service discovery not working:
# ad_server = srdc3.<domain.com>
		
#ldap_id_mapping = true
		
[nss]
filter_groups = root

filter_users = root

Start SSSD

  1. Change the file permissions for /etc/sssd/sssd.conf
    1. # chmod 600 /etc/sssd/sssd.conf
  2. Start the SSSD daemon
    1. RHEL6:
      1. # service sssd start
    2. RHEL7:
      1. # systemctl restart sssd
    3. UBUNTU:
      1. $ sudo start sssd
  3. Enable the SSSD daemon on boot
    1. RHEL6:
      1. # chkconfig sssd on
    2. RHEL7:
      1. # systemctl enable sssd
    3. UBUNTU: Nothing further to configure.

Further Reading