SSSD/Kerberos/LDAP Authentication: Difference between revisions

From UNIX Systems Administration
Jump to navigation Jump to search
Line 129: Line 129:
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
###:&nbsp;&nbsp;&nbsp;2 <SERVERNAME$@DOMAIN.COM>
#Obtain a Kerberos ticket using keytab in capitals.
3. Obtain a Kerberos ticket using keytab in capitals.
# kinit -k <server name>$
# kinit -k <server name>$

Revision as of 17:29, 21 July 2016

Install Required Packages

  1. RHEL6: Install the following packages.
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
  2. RHEL7: Install the following packages
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
  3. UBUNTU: Install the following packages
    1. $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules

Configure Kerberos

  1. Gather the list of KDCs for the realm, the KDCs are bold italic.
    1. # nslookup -type=SRV _kerberos._tcp.<domain.com>
      1. Output of previous command:
        Server: <ip address>
        Address: <ip address>#53

        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc1.<domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc2.<domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc3.<domain.com>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc4.<domain.com>.
  2. Create a backup of the /etc/krb5.conf file.
    1. # cp -p /etc/krb5.conf{,.bak}
    2. Modify the /etc/krb5.conf file as follows, changes are bold italic.
      1. [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        [libdefaults]
        default_realm = <DOMAIN.COM>
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        [realms]
        <DOMAIN.COM> = {
        kdc = dc1.<DOMAIN.COM>
        kdc = dc2.<DOMAIN.COM>
        kdc = dc3.<DOMAIN.COM>
        kdc = dc4.<DOMAIN.COM>
        admin_server = <DOMAIN.COM>
        }

        [domain_realm]
        .<domain.com> = <DOMAIN.COM>
        <domain.com> = <DOMAIN.COM>

Configure Samba

  1. Create a backup of the /etc/samba/smb.conf file.
    1. # cp -p /etc/samba/smb.conf{,.bak}
  2. Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
    1. [global]
             workgroup = <DOMAIN>
      ;      server string = Samba Server Version %v
              .
              .
      ;      security = user
      ;      passdb backend = tdbsam
              .
              .
             client signing = yes
             client use spnego = yes
             kerberos method = secrets and keytab
             security = ads
             passdb backend = tdbsam
             realm = <DOMAIN.COM>
              .
              .
      ;      load printers = yes
      ;      cups options = raw
              .
              .
      ;[printers]
      ;      comment = All Printers
      ;      path = /var/spool/samba
      ;      browseable = no
      ;      guest ok = no
      ;      writable = no
      ;      printable = yes
  3. Verify the Samba configuration.
    1. # testparm
  4. The output should be similar to
    1. [global]
             workgroup = <DOMAIN>
             realm = <DOMAIN.COM>
             security = ADS
             kerberos method = secrets and keytab
             log file = /var/log/samba/log.%m
             max log size = 50
             client signing = required
             idmap config * : backend = tdb
             
      [homes]
             comment = Home Directories
             read only = No
             browseable = No

Kerberos Ticket

  1. Obtain and verify a new ticket using the new Kerberos configuration.
    1. # kinit <admin account>
      1. Enter the password.
  2. Verify the ticket
    1. ;# klist
      1. The output should be similar to:
        1. Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: <admin account>@<DOMAIN.COM>

          Valid starting     Expires            Service principal
          03/31/16 07:17:39  03/31/16 17:17:35  krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
                   renew until 04/07/16 07:17:39

Register Server with Active Directory

  1. Join AD and obtain a keytab
    1. # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
  2. Verify the keytab
    1. # klist -k
      1. The output should be similar to:
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
        ---- --------------------------------------------------------------------------
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<servername.domain.com@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 host/<SERVERNAME@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
           2 <SERVERNAME$@DOMAIN.COM>
  3. Obtain a Kerberos ticket using keytab in capitals.

# kinit -k <server name>$

4. Verify the new default principal, it will have changed from <admin account> to <server name>

  1. klist
Retrieved from "http://www.outlandsmud.com/wiki/index.php?title=SSSD/Kerberos/LDAP_Authentication&oldid=944"