SSSD/Kerberos/LDAP Authentication: Difference between revisions
Jump to navigation
Jump to search
Line 159: | Line 159: | ||
##<tt>'''# cp -p /etc/sssd/sssd.conf{,.bak}'''</tt> | ##<tt>'''# cp -p /etc/sssd/sssd.conf{,.bak}'''</tt> | ||
#Create the configuration file as follows: | #Create the configuration file as follows: | ||
##:<tt>#RHEL6: Uncomment the following lines: | |||
##:#[sssd] | |||
##:#config_file_version = 2 | |||
##:#debug_level = 0 | |||
##:##domains = local, <domain.com> | |||
##:#domains = <domain.com> | |||
##:#services = nss, pam | |||
##:#reconnection_retries = 3 | |||
##:<br />#RHEL7: Uncomment the following lines: | |||
##:#[sssd] | |||
##:#config_file_version = 2 | |||
##:#debug_level = 0 | |||
##:##domains = local, <domain.com> | |||
##:#domains = <domain.com> | |||
##:#services = nss, pam, pac | |||
##:#reconnection_retries = 3 | |||
##:<br />[domain/default] | |||
##:ldap_referrals = false | |||
##:<br />#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be | |||
##:# used in the [sssd] stanza. | |||
##:#[domain/LOCAL] | |||
##:#enumerate = TRUE | |||
##:#min_id = 500 | |||
##:#max_id = 999 | |||
##:#id_provider = local | |||
##:#auth_provider = local | |||
##:<br />#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be | |||
##:# used in the [sssd] stanza. | |||
##:#[domain/LOCAL] | |||
#enumerate = TRUE | |||
##:#min_id = 1000 | |||
##:#max_id = 1999 | |||
##:#id_provider = local | |||
##:#auth_provider = local | |||
##:<br />[domain/<domain.com>] | |||
##:dns_discovery_domain = <domain.com> | |||
##:id_provider = ad | |||
##:auth_provider = ad | |||
##:access_provider = ad | |||
##:<br /># Allow domain admins | |||
##:ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com) | |||
##:<br />default_shell = /bin/bash | |||
##:override_homedir = /home/%d/%u | |||
##:<br /># Permits offline logins: | |||
##:cache_credentials = true | |||
##:<br /># Use when service discovery not working: | |||
##:# ad_server = <dc1.domain.com> | |||
##:<br />#ldap_id_mapping = true | |||
##:<br />[nss] | |||
##:filter_groups = root | |||
##:<br />filter_users = root</tt> |
Revision as of 17:57, 21 July 2016
Install Required Packages
- RHEL6: Install the following packages.
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7: Install the following packages
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU: Install the following packages
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
_kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc1.domain.com>.- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc2.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc3.domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 <dc4.domain.com>.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
[libdefaults]- default_realm = <DOMAIN.COM>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
[realms]- <DOMAIN.COM> = {
- kdc = dc1.<DOMAIN.COM>
- kdc = dc2.<DOMAIN.COM>
- kdc = dc3.<DOMAIN.COM>
- kdc = dc4.<DOMAIN.COM>
- admin_server = <DOMAIN.COM>
- }
[domain_realm]- .<domain.com> = <DOMAIN.COM>
- <domain.com> = <DOMAIN.COM>
Configure Samba
- Create a backup of the /etc/samba/smb.conf file.
- # cp -p /etc/samba/smb.conf{,.bak}
- Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
- [global]
- workgroup = <DOMAIN>
- ; server string = Samba Server Version %v
- .
- .
- ; security = user
- ; passdb backend = tdbsam
- .
- .
- client signing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- security = ads
- passdb backend = tdbsam
- realm = <DOMAIN.COM>
- .
- .
- ; load printers = yes
- ; cups options = raw
- .
- .
- ;[printers]
- ; comment = All Printers
- ; path = /var/spool/samba
- ; browseable = no
- ; guest ok = no
- ; writable = no
- ; printable = yes
- Verify the Samba configuration.
- # testparm
- The output should be similar to
- [global]
- workgroup = <DOMAIN>
- realm = <DOMAIN.COM>
- security = ADS
- kerberos method = secrets and keytab
- log file = /var/log/samba/log.%m
- max log size = 50
- client signing = required
- idmap config * : backend = tdb
-
[homes] - comment = Home Directories
- read only = No
- browseable = No
Kerberos Ticket
- Obtain and verify a new ticket using the new Kerberos configuration.
- # kinit <admin account>
- Enter the password.
- # kinit <admin account>
- Verify the ticket
- ;# klist
- The output should be similar to:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <admin account>@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to:
- ;# klist
Register Server with Active Directory
- Join AD and obtain a keytab
- # net ads join -k createcomputer="Computer-Groups/Servers/Linux"
- Verify the keytab
- # klist -k
- The output should be similar to:
- Keytab name: FILE:/etc/krb5.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<servername.domain.com@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 host/<SERVERNAME@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- 2 <SERVERNAME$@DOMAIN.COM>
- # klist -k
- Obtain a Kerberos ticket using keytab in capitals.
- kinit -k <server name>$
- Verify the new default principal, it will have changed from <admin account> to <server name>
- # klist
- The output should be similar to, note the output in bold italic:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <SERVERNAME>$@<DOMAIN.COM>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<DOMAIN.COM>@<DOMAIN.COM>
- renew until 04/07/16 07:17:39
- The output should be similar to, note the output in bold italic:
- # klist
Verify LDAP
- Verify that LDAP returns the sAMAccountNames
- # ldapsearch -o ldif-wrap=140 -H ldap://<dc1.domain.com> -Y GSSAPI -N -b DC=domain,DC=com "memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com" | grep sAMAccountName
Configure SSSD Authentication
- RHEL6 & RHEL7: Configure pam and nsswitch.
- # authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
- Note: this may start the oddjobd daemon.
- UBUNTU: The install of the packages will set this information, nothing more is needed.
Enable oddjobd service
- RHEL6: Enable startup on boot
- # chkconfig oddjobd on
- RHEL7: Enable startup on boot
- # systemctl enable oddjobd.service
SSSD configuration
- Create a backup of /etc/sssd/sssd.conf if it exists (most likely not).
- # cp -p /etc/sssd/sssd.conf{,.bak}
- Create the configuration file as follows:
- #RHEL6: Uncomment the following lines:
- [sssd]
- config_file_version = 2
- debug_level = 0
- domains = local, <domain.com>
- domains = <domain.com>
- services = nss, pam
- reconnection_retries = 3
#RHEL7: Uncomment the following lines:- [sssd]
- config_file_version = 2
- debug_level = 0
- domains = local, <domain.com>
- domains = <domain.com>
- services = nss, pam, pac
- reconnection_retries = 3
[domain/default]- ldap_referrals = false
#RHEL6: Uncomment the following lines only if domains = local, <domain.com> will be- used in the [sssd] stanza.
- [domain/LOCAL]
- enumerate = TRUE
- min_id = 500
- max_id = 999
- id_provider = local
- auth_provider = local
#RHEL7: Uncomment the following lines only if domains = local, <domain.com> will be- used in the [sssd] stanza.
- [domain/LOCAL]
- #RHEL6: Uncomment the following lines:
- enumerate = TRUE
- min_id = 1000
- max_id = 1999
- id_provider = local
- auth_provider = local
[domain/<domain.com>]- dns_discovery_domain = <domain.com>
- id_provider = ad
- auth_provider = ad
- access_provider = ad
# Allow domain admins- ad_access_filter = (memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=com)
default_shell = /bin/bash- override_homedir = /home/%d/%u
# Permits offline logins:- cache_credentials = true
# Use when service discovery not working:- ad_server = <dc1.domain.com>
#ldap_id_mapping = true
[nss]- filter_groups = root
filter_users = root