SSSD/Kerberos/LDAP Authentication: Difference between revisions

From UNIX Systems Administration
Jump to navigation Jump to search
No edit summary
 
(47 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Install Required Packages==
==Install Required Packages==
#'''RHEL6:''' Install the following packages.
# Install the following packages.
##<tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel'''</tt>
#: '''RHEL6:'''
#'''RHEL7:''' Install the following packages
#:: <tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel'''</tt>
##<tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel'''</tt>
#: '''RHEL7:'''
#'''UBUNTU:''' Install the following packages
#:: <tt>'''# yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel'''</tt>
##<tt>'''$ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules'''</tt>
#: '''UBUNTU:'''
#::<tt>'''$ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules'''</tt>


==Configure Kerberos==
==Configure Kerberos==
#Gather the list of KDCs for the realm, the KDCs are bold italic.
# Gather the list of KDCs for the realm, the KDCs are bold italic.
##<tt>'''# nslookup -type=SRV _kerberos._tcp.<domain.com>'''</tt>
#: <tt>'''# nslookup -type=SRV _kerberos._tcp.<domain.com>'''</tt>
###:Output of previous command:
##: Output of previous command:
###:<tt>Server:        <ip address>
###:<tt>Server:        <ip address>
###:Address:        <ip address>#53
###:Address:        <ip address>#53
###:<br />_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''dc1.<domain.com>'''''.
###:<br />_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''<dc1.domain.com>'''''.
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''dc2.<domain.com>'''''.
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''<dc2.domain.com>'''''.
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''dc3.<domain.com>'''''.
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''<dc3.domain.com>'''''.
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''dc4.<domain.com>'''''.</tt>
###:_kerberos._tcp.<domain in lowercase>        service = 0 100 88 '''''<dc4.domain.com>'''''.</tt>
#Create a backup of the /etc/krb5.conf file.
#Create a backup of the /etc/krb5.conf file.
##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt>
##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt>
##Modify the /etc/krb5.conf file as follows, changes are bold italic.
##Modify the /etc/krb5.conf file as follows, changes are bold italic.
###:<tt>[logging]
###:<tt>[logging]
###: default = FILE:/var/log/krb5libs.log
###:&nbsp;default = FILE:/var/log/krb5libs.log
###: kdc = FILE:/var/log/krb5kdc.log
###:&nbsp;kdc = FILE:/var/log/krb5kdc.log
###: admin_server = FILE:/var/log/kadmind.log
###:&nbsp;admin_server = FILE:/var/log/kadmind.log
###:<br />[libdefaults]
###:<br />[libdefaults]
###: default_realm = '''''<DOMAIN.COM>'''''
###:&nbsp;default_realm = '''''<DOMAIN.COM>'''''
###: dns_lookup_realm = false
###:&nbsp;dns_lookup_realm = false
###: dns_lookup_kdc = false
###:&nbsp;dns_lookup_kdc = false
###: ticket_lifetime = 24h
###:&nbsp;ticket_lifetime = 24h
###: renew_lifetime = 7d
###:&nbsp;renew_lifetime = 7d
###: forwardable = true
###:&nbsp;forwardable = true
###:<br />[realms]
###:<br />[realms]
###: '''''<DOMAIN.COM>''''' = {
###:&nbsp;'''''<DOMAIN.COM>''''' = {
###: '''''kdc = dc1.<DOMAIN.COM>'''''
###:&nbsp;&nbsp;'''''kdc = dc1.<DOMAIN.COM>'''''
###: '''''kdc = dc2.<DOMAIN.COM>'''''
###:&nbsp;&nbsp;'''''kdc = dc2.<DOMAIN.COM>'''''
###: '''''kdc = dc3.<DOMAIN.COM>'''''
###:&nbsp;&nbsp;'''''kdc = dc3.<DOMAIN.COM>'''''
###: '''''kdc = dc4.<DOMAIN.COM>'''''
###:&nbsp;&nbsp;'''''kdc = dc4.<DOMAIN.COM>'''''
###: admin_server = '''''<DOMAIN.COM>'''''
###:&nbsp;&nbsp;admin_server = '''''<DOMAIN.COM>'''''
###: }
###: }
###:<br />[domain_realm]
###:<br />[domain_realm]
###: '''''.<domain.com> = <DOMAIN.COM>'''''
###:&nbsp;'''''.<domain.com> = <DOMAIN.COM>'''''
###: '''''<domain.com> = <DOMAIN.COM>'''''</tt>
###:&nbsp;'''''<domain.com> = <DOMAIN.COM>'''''</tt>


==Configure Samba==
==Configure Samba==
Line 110: Line 111:
#Verify the keytab
#Verify the keytab
##<tt>'''# klist -k'''</tt>
##<tt>'''# klist -k'''</tt>
The output should be similar to:
###:<tt>The output should be similar to:
Keytab name: FILE:/etc/krb5.keytab
###:Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
###:KVNO Principal
---- --------------------------------------------------------------------------
###:---- --------------------------------------------------------------------------
  2 host/<servername.domain.com@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<servername.domain.com@DOMAIN.COM>
  2 host/<servername.domain.com@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<servername.domain.com@DOMAIN.COM>
  2 host/<servername.domain.com@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<servername.domain.com@DOMAIN.COM>
  2 host/<servername.domain.com@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<servername.domain.com@DOMAIN.COM>
  2 host/<servername.domain.com@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<servername.domain.com@DOMAIN.COM>
  2 host/<SERVERNAME@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<SERVERNAME@DOMAIN.COM>
  2 host/<SERVERNAME@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<SERVERNAME@DOMAIN.COM>
  2 host/<SERVERNAME@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<SERVERNAME@DOMAIN.COM>
  2 host/<SERVERNAME@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<SERVERNAME@DOMAIN.COM>
  2 host/<SERVERNAME@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 host/<SERVERNAME@DOMAIN.COM>
  2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
  2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
  2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
  2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
  2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM></tt>
#Obtain a Kerberos ticket using keytab in capitals.
3. Obtain a Kerberos ticket using keytab in capitals.
##<tt>'''kinit -k <server name>$'''</tt>
# kinit -k <server name>$
#Verify the new default principal, it will have changed from <admin account> to <server name>
##<tt>'''# klist'''</tt>
4. Verify the new default principal, it will have changed from <admin account> to <server name>
###The output should be similar to, note the output in bold italic:
####:<tt>Ticket cache: FILE:/tmp/krb5cc_0
####:Default principal: '''''<SERVERNAME>$'''''@<DOMAIN.COM>
####:<br />Valid starting&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Service principal
####:03/31/16 07:17:39&nbsp;&nbsp;03/31/16 17:17:35&nbsp;&nbsp;krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
####:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;renew until 04/07/16 07:17:39</tt>
 
==Verify LDAP==
#Verify that LDAP returns the sAMAccountNames
##<tt>'''# ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName'''</tt>
 
==Configure SSSD Authentication==
#'''RHEL6 & RHEL7:''' Configure pam and nsswitch.
##<tt>'''# authconfig --enablesssdauth --enablesssd --enablemkhomedir --update'''</tt>
##'''Note:''' this may start the oddjobd daemon.
#'''UBUNTU:''' The install of the packages will set this information, nothing more is needed.
===Enable oddjobd service===
#'''RHEL6:''' Enable startup on boot
##<tt>'''# chkconfig oddjobd on'''</tt>
#'''RHEL7:''' Enable startup on boot
##<tt>'''# systemctl enable oddjobd.service</tt>'''
 
==SSSD configuration==
#Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
##<tt>'''# cp -p /etc/sssd/sssd.conf{,.bak}'''</tt>
#Create the configuration file as follows:
<pre>#RHEL6: Uncomment the following lines:
#[sssd]
#config_file_version = 2
#debug_level = 0
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam
#reconnection_retries = 3
 
#RHEL7: Uncomment the following lines:
#[sssd]
#config_file_version = 2
#debug_level = 0
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam, pac
#reconnection_retries = 3
 
[domain/default]
ldap_referrals = false
 
#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be
#      used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 500
#max_id = 999
#id_provider = local
#auth_provider = local
 
#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be
#      used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local
 
#UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be
#      used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local
 
[domain/<domain.com>]
dns_discovery_domain = <domain.com>
id_provider = ad
auth_provider = ad
access_provider = ad
## Only uncomment the next line if logon is slow.
##ignore_group_members = true
# Allow Domain Admins
ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)
 
default_shell = /bin/bash
override_homedir = /home/%d/%u
# Permits offline logins:
cache_credentials = true
# Use when service discovery not working:
# ad_server = srdc3.<domain.com>
#ldap_id_mapping = true
[nss]
filter_groups = root
 
filter_users = root</pre>
===Start SSSD===
#Change the file permissions for /etc/sssd/sssd.conf
##<tt>'''# chmod 600 /etc/sssd/sssd.conf'''</tt>
#Start the SSSD daemon
##'''RHEL6:'''
###<tt>'''# service sssd start</tt>
##'''RHEL7:'''
###<tt>'''# systemctl restart sssd</tt>
##'''UBUNTU:'''
###<tt>'''$ sudo start sssd</tt>
#Enable the SSSD daemon on boot
##'''RHEL6:'''
###<tt>'''# chkconfig sssd on</tt>
##'''RHEL7:'''
###<tt>'''# systemctl enable sssd</tt>
##'''UBUNTU:''' Nothing further to configure.
 
== Further Reading ==


# klist
[[Category:Linux]]

Latest revision as of 14:54, 29 January 2022

Install Required Packages

  1. Install the following packages.
    RHEL6:
    # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
    RHEL7:
    # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
    UBUNTU:
    $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules

Configure Kerberos

  1. Gather the list of KDCs for the realm, the KDCs are bold italic.
    # nslookup -type=SRV _kerberos._tcp.<domain.com>
    1. Output of previous command:
      1. Server: <ip address>
        Address: <ip address>#53

        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc1.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc2.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc3.domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc4.domain.com>.
  2. Create a backup of the /etc/krb5.conf file.
    1. # cp -p /etc/krb5.conf{,.bak}
    2. Modify the /etc/krb5.conf file as follows, changes are bold italic.
      1. [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log

        [libdefaults]
         default_realm = <DOMAIN.COM>
         dns_lookup_realm = false
         dns_lookup_kdc = false
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true

        [realms]
         <DOMAIN.COM> = {
          kdc = dc1.<DOMAIN.COM>
          kdc = dc2.<DOMAIN.COM>
          kdc = dc3.<DOMAIN.COM>
          kdc = dc4.<DOMAIN.COM>
          admin_server = <DOMAIN.COM>
        }

        [domain_realm]
         .<domain.com> = <DOMAIN.COM>
         <domain.com> = <DOMAIN.COM>

Configure Samba

  1. Create a backup of the /etc/samba/smb.conf file.
    1. # cp -p /etc/samba/smb.conf{,.bak}
  2. Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
    1. [global]
             workgroup = <DOMAIN>
      ;      server string = Samba Server Version %v
              .
              .
      ;      security = user
      ;      passdb backend = tdbsam
              .
              .
             client signing = yes
             client use spnego = yes
             kerberos method = secrets and keytab
             security = ads
             passdb backend = tdbsam
             realm = <DOMAIN.COM>
              .
              .
      ;      load printers = yes
      ;      cups options = raw
              .
              .
      ;[printers]
      ;      comment = All Printers
      ;      path = /var/spool/samba
      ;      browseable = no
      ;      guest ok = no
      ;      writable = no
      ;      printable = yes
  3. Verify the Samba configuration.
    1. # testparm
  4. The output should be similar to
    1. [global]
             workgroup = <DOMAIN>
             realm = <DOMAIN.COM>
             security = ADS
             kerberos method = secrets and keytab
             log file = /var/log/samba/log.%m
             max log size = 50
             client signing = required
             idmap config * : backend = tdb
             
      [homes]
             comment = Home Directories
             read only = No
             browseable = No

Kerberos Ticket

  1. Obtain and verify a new ticket using the new Kerberos configuration.
    1. # kinit <admin account>
      1. Enter the password.
  2. Verify the ticket
    1. ;# klist
      1. The output should be similar to:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <admin account>@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Register Server with Active Directory

  1. Join AD and obtain a keytab
    1. # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
  2. Verify the keytab
    1. # klist -k
      1. The output should be similar to:
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
        ---- --------------------------------------------------------------------------
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
  3. Obtain a Kerberos ticket using keytab in capitals.
    1. kinit -k <server name>$
  4. Verify the new default principal, it will have changed from <admin account> to <server name>
    1. # klist
      1. The output should be similar to, note the output in bold italic:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <SERVERNAME>$@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Verify LDAP

  1. Verify that LDAP returns the sAMAccountNames
    1. # ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=<domain>,DC=<com> "memberOf=CN=Domain Admins,CN=Users,DC=<domain>,DC=<com>" | grep sAMAccountName

Configure SSSD Authentication

  1. RHEL6 & RHEL7: Configure pam and nsswitch.
    1. # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
    2. Note: this may start the oddjobd daemon.
  2. UBUNTU: The install of the packages will set this information, nothing more is needed.

Enable oddjobd service

  1. RHEL6: Enable startup on boot
    1. # chkconfig oddjobd on
  2. RHEL7: Enable startup on boot
    1. # systemctl enable oddjobd.service

SSSD configuration

  1. Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
    1. # cp -p /etc/sssd/sssd.conf{,.bak}
  2. Create the configuration file as follows:
#RHEL6: Uncomment the following lines:
#[sssd] 
#config_file_version = 2 
#debug_level = 0 
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam
#reconnection_retries = 3

#RHEL7: Uncomment the following lines:
#[sssd] 
#config_file_version = 2 
#debug_level = 0 
##domains = local, <domain.com>
#domains = <domain.com>
#services = nss, pam, pac
#reconnection_retries = 3

[domain/default]
ldap_referrals = false

#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 500
#max_id = 999
#id_provider = local
#auth_provider = local

#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

#UBUNTU: Uncomment the following lines only if domains = local, <domain.com> will be 
#       used in the [sssd] stanza.
#[domain/LOCAL]
#enumerate = TRUE
#min_id = 1000
#max_id = 1999
#id_provider = local
#auth_provider = local

[domain/<domain.com>]
dns_discovery_domain = <domain.com> 
id_provider = ad
auth_provider = ad
access_provider = ad
## Only uncomment the next line if logon is slow.
##ignore_group_members = true
		
# Allow Domain Admins
ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)

default_shell = /bin/bash
override_homedir = /home/%d/%u
		
# Permits offline logins:
cache_credentials = true
		
# Use when service discovery not working:
# ad_server = srdc3.<domain.com>
		
#ldap_id_mapping = true
		
[nss]
filter_groups = root

filter_users = root

Start SSSD

  1. Change the file permissions for /etc/sssd/sssd.conf
    1. # chmod 600 /etc/sssd/sssd.conf
  2. Start the SSSD daemon
    1. RHEL6:
      1. # service sssd start
    2. RHEL7:
      1. # systemctl restart sssd
    3. UBUNTU:
      1. $ sudo start sssd
  3. Enable the SSSD daemon on boot
    1. RHEL6:
      1. # chkconfig sssd on
    2. RHEL7:
      1. # systemctl enable sssd
    3. UBUNTU: Nothing further to configure.

Further Reading