SSSD/Kerberos/LDAP Authentication
Jump to navigation
Jump to search
Install Required Packages
- Install the following packages.
- RHEL6:
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7:
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU:
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
- RHEL6:
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
_kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc1.domain.com>.- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc2.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc3.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc4.domain.com>.
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
[libdefaults]- default_realm = <DOMAIN.COM>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
[realms]- <DOMAIN.COM> = {
- kdc = dc1.<DOMAIN.COM>
- kdc = dc2.<DOMAIN.COM>
- kdc = dc3.<DOMAIN.COM>
- kdc = dc4.<DOMAIN.COM>
- admin_server = <DOMAIN.COM>
- }
[domain_realm]- .<domain.com> = <DOMAIN.COM>
- <domain.com> = <DOMAIN.COM>
Configure Samba
- Create a backup of the /etc/samba/smb.conf file.
- # cp -p /etc/samba/smb.conf{,.bak}
- Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
- [global]
- workgroup = <DOMAIN>
- ; server string = Samba Server Version %v
- .
- .
- ; security = user
- ; passdb backend = tdbsam
- .
- .
- client signing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- security = ads
- passdb backend = tdbsam
- realm = <DOMAIN.COM>
- .
- .
- ; load printers = yes
- ; cups options = raw
- .
- .
- ;[printers]
- ; comment = All Printers
- ; path = /var/spool/samba
- ; browseable = no
- ; guest ok = no
- ; writable = no
- ; printable = yes
- Verify the Samba configuration.
- # testparm
- The output should be similar to
- [global]
- workgroup = <DOMAIN>
- realm = <DOMAIN.COM>
- security = ADS
- kerberos method = secrets and keytab
- log file = /var/log/samba/log.%m
- max log size = 50
- client signing = required
- idmap config * : backend = tdb
-
[homes] - comment = Home Directories
- read only = No
- browseable = No
Kerberos Ticket
- Obtain and verify a new ticket using the new Kerberos configuration.
- # kinit <admin account>
- Enter the password.
- # kinit <admin account>
- Verify the ticket
- ;# klist
- The output should be similar to:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <admin account>@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to:
- ;# klist
Register Server with Active Directory
- Join AD and obtain a keytab
- # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
- Verify the keytab
- # klist -k
- The output should be similar to:
- Keytab name: FILE:/etc/krb5.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- # klist -k
- Obtain a Kerberos ticket using keytab in capitals.
- kinit -k <server name>$
- Verify the new default principal, it will have changed from <admin account> to <server name>
- # klist
- The output should be similar to, note the output in bold italic:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <SERVERNAME>$@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to, note the output in bold italic:
- # klist
Verify LDAP
- Verify that LDAP returns the sAMAccountNames
- # ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName
Configure SSSD Authentication
- RHEL6 & RHEL7: Configure pam and nsswitch.
- # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
- Note: this may start the oddjobd daemon.
- UBUNTU: The install of the packages will set this information, nothing more is needed.
Enable oddjobd service
- RHEL6: Enable startup on boot
- # chkconfig oddjobd on
- RHEL7: Enable startup on boot
- # systemctl enable oddjobd.service
SSSD configuration
- Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
- # cp -p /etc/sssd/sssd.conf{,.bak}
- Create the configuration file as follows:
#RHEL6: Uncomment the following lines: #[sssd] #config_file_version = 2 #debug_level = 0 ##domains = local, <domain.com> #domains = <domain.com> #services = nss, pam #reconnection_retries = 3 #RHEL7: Uncomment the following lines: #[sssd] #config_file_version = 2 #debug_level = 0 ##domains = local, <domain.com> #domains = <domain.com> #services = nss, pam, pac #reconnection_retries = 3 [domain/default] ldap_referrals = false #RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 500 #max_id = 999 #id_provider = local #auth_provider = local #RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 1000 #max_id = 1999 #id_provider = local #auth_provider = local #UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 1000 #max_id = 1999 #id_provider = local #auth_provider = local [domain/<domain.com>] dns_discovery_domain = <domain.com> id_provider = ad auth_provider = ad access_provider = ad ## Only uncomment the next line if logon is slow. ##ignore_group_members = true # Allow Domain Admins ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com) default_shell = /bin/bash override_homedir = /home/%d/%u # Permits offline logins: cache_credentials = true # Use when service discovery not working: # ad_server = srdc3.<domain.com> #ldap_id_mapping = true [nss] filter_groups = root filter_users = root
Start SSSD
- Change the file permissions for /etc/sssd/sssd.conf
- # chmod 600 /etc/sssd/sssd.conf
- Start the SSSD daemon
- RHEL6:
- # service sssd start
- RHEL7:
- # systemctl restart sssd
- UBUNTU:
- $ sudo start sssd
- RHEL6:
- Enable the SSSD daemon on boot
- RHEL6:
- # chkconfig sssd on
- RHEL7:
- # systemctl enable sssd
- UBUNTU: Nothing further to configure.
- RHEL6: