SSSD/Kerberos/LDAP Authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 12: | Line 12: | ||
###:Output of previous command: | ###:Output of previous command: | ||
###:<tt>Server: <ip address> | ###:<tt>Server: <ip address> | ||
###:Address: <ip address>#53 | ###:Address: <ip address>#53 | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc1.<domain in lowercase>'''''. | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc1.<domain in lowercase>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc2.<domain in lowercase>'''''. | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc2.<domain in lowercase>'''''. | ||
Line 19: | Line 19: | ||
#Create a backup of the /etc/krb5.conf file. | #Create a backup of the /etc/krb5.conf file. | ||
##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ||
##Modify the /etc/krb5.conf file as follows, changes are | ##Modify the /etc/krb5.conf file as follows, changes are bold italic. | ||
###:[logging] | |||
###: default = FILE:/var/log/krb5libs.log | |||
###: kdc = FILE:/var/log/krb5kdc.log | |||
###: admin_server = FILE:/var/log/kadmind.log | |||
###:[libdefaults] | |||
###: default_realm = '''''<AD DOMAIN>''''' | |||
###: dns_lookup_realm = false | |||
###: dns_lookup_kdc = false | |||
###: ticket_lifetime = 24h | |||
###: renew_lifetime = 7d | |||
###: forwardable = true | |||
###:[realms] | |||
###: '''''<AD DOMAIN>''''' = { | |||
###: '''''kdc = dc1.<AD DOMAIN> | |||
###: kdc = dc2.<AD DOMAIN> | |||
###: kdc = dc3.<AD DOMAIN> | |||
###: kdc = dc4.<AD DOMAIN>''''' | |||
###: admin_server = <AD DOMAIN>''''' | |||
###: } | |||
###:[domain_realm] | |||
###: '''''.<ad domain> = <AD DOMAIN> | |||
###: <ad domain> = <AD DOMAIN>''''' |
Revision as of 16:29, 21 July 2016
Install Required Packages
- RHEL6: Install the following packages.
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7: Install the following packages
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU: Install the following packages
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain in lowercase>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc1.<domain in lowercase>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc2.<domain in lowercase>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc3.<domain in lowercase>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc4.<domain in lowercase>.
- # nslookup -type=SRV _kerberos._tcp.<domain in lowercase>
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = <AD DOMAIN>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- [realms]
- <AD DOMAIN> = {
- kdc = dc1.<AD DOMAIN>
- kdc = dc2.<AD DOMAIN>
- kdc = dc3.<AD DOMAIN>
- kdc = dc4.<AD DOMAIN>
- admin_server = <AD DOMAIN>
- }
- [domain_realm]
- .<ad domain> = <AD DOMAIN>
- <ad domain> = <AD DOMAIN>