SSSD/Kerberos/LDAP Authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (47 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Install Required Packages== | ==Install Required Packages== | ||
#'''RHEL6:''' | # Install the following packages. | ||
# | #: '''RHEL6:''' | ||
#'''RHEL7:''' | #:: <tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel'''</tt> | ||
# | #: '''RHEL7:''' | ||
#'''UBUNTU:''' | #:: <tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel'''</tt> | ||
# | #: '''UBUNTU:''' | ||
#::<tt>'''$ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules'''</tt> | |||
==Configure Kerberos== | ==Configure Kerberos== | ||
#Gather the list of KDCs for the realm, the KDCs are bold italic. | # Gather the list of KDCs for the realm, the KDCs are bold italic. | ||
# | #: <tt>'''# nslookup -type=SRV _kerberos._tcp.<domain.com>'''</tt> | ||
##: Output of previous command: | |||
###:<tt>Server: <ip address> | ###:<tt>Server: <ip address> | ||
###:Address: <ip address>#53 | ###:Address: <ip address>#53 | ||
###:<br />_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc1. | ###:<br />_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''<dc1.domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc2. | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''<dc2.domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc3. | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''<dc3.domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc4. | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''<dc4.domain.com>'''''.</tt> | ||
#Create a backup of the /etc/krb5.conf file. | #Create a backup of the /etc/krb5.conf file. | ||
##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ||
##Modify the /etc/krb5.conf file as follows, changes are bold italic. | ##Modify the /etc/krb5.conf file as follows, changes are bold italic. | ||
###:<tt>[logging] | ###:<tt>[logging] | ||
###: default = FILE:/var/log/krb5libs.log | ###: default = FILE:/var/log/krb5libs.log | ||
###: kdc = FILE:/var/log/krb5kdc.log | ###: kdc = FILE:/var/log/krb5kdc.log | ||
###: admin_server = FILE:/var/log/kadmind.log | ###: admin_server = FILE:/var/log/kadmind.log | ||
###:<br />[libdefaults] | ###:<br />[libdefaults] | ||
###: default_realm = '''''<DOMAIN.COM>''''' | ###: default_realm = '''''<DOMAIN.COM>''''' | ||
###: dns_lookup_realm = false | ###: dns_lookup_realm = false | ||
###: dns_lookup_kdc = false | ###: dns_lookup_kdc = false | ||
###: ticket_lifetime = 24h | ###: ticket_lifetime = 24h | ||
###: renew_lifetime = 7d | ###: renew_lifetime = 7d | ||
###: forwardable = true | ###: forwardable = true | ||
###:<br />[realms] | ###:<br />[realms] | ||
###: '''''<DOMAIN.COM>''''' = { | ###: '''''<DOMAIN.COM>''''' = { | ||
###: | ###: '''''kdc = dc1.<DOMAIN.COM>''''' | ||
###: | ###: '''''kdc = dc2.<DOMAIN.COM>''''' | ||
###: | ###: '''''kdc = dc3.<DOMAIN.COM>''''' | ||
###: | ###: '''''kdc = dc4.<DOMAIN.COM>''''' | ||
###: | ###: admin_server = '''''<DOMAIN.COM>''''' | ||
###: } | ###: } | ||
###:<br />[domain_realm] | ###:<br />[domain_realm] | ||
###: '''''.<domain.com> = <DOMAIN.COM>''''' | ###: '''''.<domain.com> = <DOMAIN.COM>''''' | ||
###: '''''<domain.com> = <DOMAIN.COM>'''''</tt> | ###: '''''<domain.com> = <DOMAIN.COM>'''''</tt> | ||
==Configure Samba== | ==Configure Samba== | ||
| Line 110: | Line 111: | ||
#Verify the keytab | #Verify the keytab | ||
##<tt>'''# klist -k'''</tt> | ##<tt>'''# klist -k'''</tt> | ||
###:<tt>The output should be similar to: | |||
###:Keytab name: FILE:/etc/krb5.keytab | |||
###:KVNO Principal | |||
###:---- -------------------------------------------------------------------------- | |||
###: 2 host/<servername.domain.com@DOMAIN.COM> | |||
###: 2 host/<servername.domain.com@DOMAIN.COM> | |||
###: 2 host/<servername.domain.com@DOMAIN.COM> | |||
###: 2 host/<servername.domain.com@DOMAIN.COM> | |||
###: 2 host/<servername.domain.com@DOMAIN.COM> | |||
###: 2 host/<SERVERNAME@DOMAIN.COM> | |||
###: 2 host/<SERVERNAME@DOMAIN.COM> | |||
###: 2 host/<SERVERNAME@DOMAIN.COM> | |||
###: 2 host/<SERVERNAME@DOMAIN.COM> | |||
###: 2 host/<SERVERNAME@DOMAIN.COM> | |||
###: 2 <SERVERNAME$@DOMAIN.COM> | |||
###: 2 <SERVERNAME$@DOMAIN.COM> | |||
###: 2 <SERVERNAME$@DOMAIN.COM> | |||
###: 2 <SERVERNAME$@DOMAIN.COM> | |||
###: 2 <SERVERNAME$@DOMAIN.COM></tt> | |||
#Obtain a Kerberos ticket using keytab in capitals. | |||
##<tt>'''kinit -k <server name>$'''</tt> | |||
#Verify the new default principal, it will have changed from <admin account> to <server name> | |||
##<tt>'''# klist'''</tt> | |||
###The output should be similar to, note the output in bold italic: | |||
####:<tt>Ticket cache: FILE:/tmp/krb5cc_0 | |||
####:Default principal: '''''<SERVERNAME>$'''''@<DOMAIN.COM> | |||
####:<br />Valid starting Expires Service principal | |||
####:03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM> | |||
####: renew until 04/07/16 07:17:39</tt> | |||
==Verify LDAP== | |||
#Verify that LDAP returns the sAMAccountNames | |||
##<tt>'''# ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName'''</tt> | |||
==Configure SSSD Authentication== | |||
#'''RHEL6 & RHEL7:''' Configure pam and nsswitch. | |||
##<tt>'''# authconfig --enablesssdauth --enablesssd --enablemkhomedir --update'''</tt> | |||
##'''Note:''' this may start the oddjobd daemon. | |||
#'''UBUNTU:''' The install of the packages will set this information, nothing more is needed. | |||
===Enable oddjobd service=== | |||
#'''RHEL6:''' Enable startup on boot | |||
##<tt>'''# chkconfig oddjobd on'''</tt> | |||
#'''RHEL7:''' Enable startup on boot | |||
##<tt>'''# systemctl enable oddjobd.service</tt>''' | |||
==SSSD configuration== | |||
#Create a backup of /etc/sssd/sssd.conf if it exists (most likely not). | |||
##<tt>'''# cp -p /etc/sssd/sssd.conf{,.bak}'''</tt> | |||
#Create the configuration file as follows: | |||
<pre>#RHEL6: Uncomment the following lines: | |||
#[sssd] | |||
#config_file_version = 2 | |||
#debug_level = 0 | |||
##domains = local, <domain.com> | |||
#domains = <domain.com> | |||
#services = nss, pam | |||
#reconnection_retries = 3 | |||
#RHEL7: Uncomment the following lines: | |||
#[sssd] | |||
#config_file_version = 2 | |||
#debug_level = 0 | |||
##domains = local, <domain.com> | |||
#domains = <domain.com> | |||
#services = nss, pam, pac | |||
#reconnection_retries = 3 | |||
[domain/default] | |||
ldap_referrals = false | |||
#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be | |||
# used in the [sssd] stanza. | |||
#[domain/LOCAL] | |||
#enumerate = TRUE | |||
#min_id = 500 | |||
#max_id = 999 | |||
#id_provider = local | |||
#auth_provider = local | |||
#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be | |||
# used in the [sssd] stanza. | |||
#[domain/LOCAL] | |||
#enumerate = TRUE | |||
#min_id = 1000 | |||
#max_id = 1999 | |||
#id_provider = local | |||
#auth_provider = local | |||
#UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be | |||
# used in the [sssd] stanza. | |||
#[domain/LOCAL] | |||
#enumerate = TRUE | |||
#min_id = 1000 | |||
#max_id = 1999 | |||
#id_provider = local | |||
#auth_provider = local | |||
[domain/<domain.com>] | |||
dns_discovery_domain = <domain.com> | |||
id_provider = ad | |||
auth_provider = ad | |||
access_provider = ad | |||
## Only uncomment the next line if logon is slow. | |||
##ignore_group_members = true | |||
# Allow Domain Admins | |||
ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com) | |||
default_shell = /bin/bash | |||
override_homedir = /home/%d/%u | |||
# Permits offline logins: | |||
cache_credentials = true | |||
# Use when service discovery not working: | |||
# ad_server = srdc3.<domain.com> | |||
#ldap_id_mapping = true | |||
[nss] | |||
filter_groups = root | |||
filter_users = root</pre> | |||
===Start SSSD=== | |||
#Change the file permissions for /etc/sssd/sssd.conf | |||
##<tt>'''# chmod 600 /etc/sssd/sssd.conf'''</tt> | |||
#Start the SSSD daemon | |||
##'''RHEL6:''' | |||
###<tt>'''# service sssd start</tt> | |||
##'''RHEL7:''' | |||
###<tt>'''# systemctl restart sssd</tt> | |||
##'''UBUNTU:''' | |||
###<tt>'''$ sudo start sssd</tt> | |||
#Enable the SSSD daemon on boot | |||
##'''RHEL6:''' | |||
###<tt>'''# chkconfig sssd on</tt> | |||
##'''RHEL7:''' | |||
###<tt>'''# systemctl enable sssd</tt> | |||
##'''UBUNTU:''' Nothing further to configure. | |||
== Further Reading == | |||
[[Category:Linux]] | |||
Latest revision as of 14:54, 29 January 2022
Install Required Packages
- Install the following packages.
- RHEL6:
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7:
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU:
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
- RHEL6:
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
_kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc1.domain.com>.- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc2.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc3.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc4.domain.com>.
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
[libdefaults]- default_realm = <DOMAIN.COM>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
[realms]- <DOMAIN.COM> = {
- kdc = dc1.<DOMAIN.COM>
- kdc = dc2.<DOMAIN.COM>
- kdc = dc3.<DOMAIN.COM>
- kdc = dc4.<DOMAIN.COM>
- admin_server = <DOMAIN.COM>
- }
[domain_realm]- .<domain.com> = <DOMAIN.COM>
- <domain.com> = <DOMAIN.COM>
Configure Samba
- Create a backup of the /etc/samba/smb.conf file.
- # cp -p /etc/samba/smb.conf{,.bak}
- Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
- [global]
- workgroup = <DOMAIN>
- ; server string = Samba Server Version %v
- .
- .
- ; security = user
- ; passdb backend = tdbsam
- .
- .
- client signing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- security = ads
- passdb backend = tdbsam
- realm = <DOMAIN.COM>
- .
- .
- ; load printers = yes
- ; cups options = raw
- .
- .
- ;[printers]
- ; comment = All Printers
- ; path = /var/spool/samba
- ; browseable = no
- ; guest ok = no
- ; writable = no
- ; printable = yes
- Verify the Samba configuration.
- # testparm
- The output should be similar to
- [global]
- workgroup = <DOMAIN>
- realm = <DOMAIN.COM>
- security = ADS
- kerberos method = secrets and keytab
- log file = /var/log/samba/log.%m
- max log size = 50
- client signing = required
- idmap config * : backend = tdb
-
[homes] - comment = Home Directories
- read only = No
- browseable = No
Kerberos Ticket
- Obtain and verify a new ticket using the new Kerberos configuration.
- # kinit <admin account>
- Enter the password.
- # kinit <admin account>
- Verify the ticket
- ;# klist
- The output should be similar to:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <admin account>@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to:
- ;# klist
Register Server with Active Directory
- Join AD and obtain a keytab
- # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
- Verify the keytab
- # klist -k
- The output should be similar to:
- Keytab name: FILE:/etc/krb5.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- # klist -k
- Obtain a Kerberos ticket using keytab in capitals.
- kinit -k <server name>$
- Verify the new default principal, it will have changed from <admin account> to <server name>
- # klist
- The output should be similar to, note the output in bold italic:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <SERVERNAME>$@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to, note the output in bold italic:
- # klist
Verify LDAP
- Verify that LDAP returns the sAMAccountNames
- # ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName
Configure SSSD Authentication
- RHEL6 & RHEL7: Configure pam and nsswitch.
- # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
- Note: this may start the oddjobd daemon.
- UBUNTU: The install of the packages will set this information, nothing more is needed.
Enable oddjobd service
- RHEL6: Enable startup on boot
- # chkconfig oddjobd on
- RHEL7: Enable startup on boot
- # systemctl enable oddjobd.service
SSSD configuration
- Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
- # cp -p /etc/sssd/sssd.conf{,.bak}
- Create the configuration file as follows:
#RHEL6: Uncomment the following lines: #[sssd] #config_file_version = 2 #debug_level = 0 ##domains = local, <domain.com> #domains = <domain.com> #services = nss, pam #reconnection_retries = 3 #RHEL7: Uncomment the following lines: #[sssd] #config_file_version = 2 #debug_level = 0 ##domains = local, <domain.com> #domains = <domain.com> #services = nss, pam, pac #reconnection_retries = 3 [domain/default] ldap_referrals = false #RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 500 #max_id = 999 #id_provider = local #auth_provider = local #RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 1000 #max_id = 1999 #id_provider = local #auth_provider = local #UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be # used in the [sssd] stanza. #[domain/LOCAL] #enumerate = TRUE #min_id = 1000 #max_id = 1999 #id_provider = local #auth_provider = local [domain/<domain.com>] dns_discovery_domain = <domain.com> id_provider = ad auth_provider = ad access_provider = ad ## Only uncomment the next line if logon is slow. ##ignore_group_members = true # Allow Domain Admins ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com) default_shell = /bin/bash override_homedir = /home/%d/%u # Permits offline logins: cache_credentials = true # Use when service discovery not working: # ad_server = srdc3.<domain.com> #ldap_id_mapping = true [nss] filter_groups = root filter_users = root
Start SSSD
- Change the file permissions for /etc/sssd/sssd.conf
- # chmod 600 /etc/sssd/sssd.conf
- Start the SSSD daemon
- RHEL6:
- # service sssd start
- RHEL7:
- # systemctl restart sssd
- UBUNTU:
- $ sudo start sssd
- RHEL6:
- Enable the SSSD daemon on boot
- RHEL6:
- # chkconfig sssd on
- RHEL7:
- # systemctl enable sssd
- UBUNTU: Nothing further to configure.
- RHEL6: