SSSD/Kerberos/LDAP Authentication: Difference between revisions
Jump to navigation
Jump to search
Line 9: | Line 9: | ||
==Configure Kerberos== | ==Configure Kerberos== | ||
#Gather the list of KDCs for the realm, the KDCs are bold italic. | #Gather the list of KDCs for the realm, the KDCs are bold italic. | ||
##<tt>'''# nslookup -type=SRV _kerberos._tcp.<domain | ##<tt>'''# nslookup -type=SRV _kerberos._tcp.<domain.com>'''</tt> | ||
###:Output of previous command: | ###:Output of previous command: | ||
###:<tt>Server: <ip address> | ###:<tt>Server: <ip address> | ||
###:Address: <ip address>#53 | ###:Address: <ip address>#53 | ||
###:<br />_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc1.<domain | ###:<br />_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc1.<domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc2.<domain | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc2.<domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc3.<domain | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc3.<domain.com>'''''. | ||
###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc4.<domain | ###:_kerberos._tcp.<domain in lowercase> service = 0 100 88 '''''dc4.<domain.com>'''''.</tt> | ||
#Create a backup of the /etc/krb5.conf file. | #Create a backup of the /etc/krb5.conf file. | ||
##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ##<tt>'''# cp -p /etc/krb5.conf{,.bak}'''</tt> | ||
Line 25: | Line 25: | ||
###: admin_server = FILE:/var/log/kadmind.log | ###: admin_server = FILE:/var/log/kadmind.log | ||
###:<br />[libdefaults] | ###:<br />[libdefaults] | ||
###: default_realm = '''''< | ###: default_realm = '''''<DOMAIN.COM>''''' | ||
###: dns_lookup_realm = false | ###: dns_lookup_realm = false | ||
###: dns_lookup_kdc = false | ###: dns_lookup_kdc = false | ||
Line 32: | Line 32: | ||
###: forwardable = true | ###: forwardable = true | ||
###:<br />[realms] | ###:<br />[realms] | ||
###: '''''< | ###: '''''<DOMAIN.COM>''''' = { | ||
###: '''''kdc = dc1.< | ###: '''''kdc = dc1.<DOMAIN.COM>''''' | ||
###: '''''kdc = dc2.< | ###: '''''kdc = dc2.<DOMAIN.COM>''''' | ||
###: '''''kdc = dc3.< | ###: '''''kdc = dc3.<DOMAIN.COM>''''' | ||
###: '''''kdc = dc4.< | ###: '''''kdc = dc4.<DOMAIN.COM>''''' | ||
###: admin_server = '''''< | ###: admin_server = '''''<DOMAIN.COM>''''' | ||
###: } | ###: } | ||
###:<br />[domain_realm] | ###:<br />[domain_realm] | ||
###: '''''.< | ###: '''''.<domain.com> = <DOMAIN.COM>''''' | ||
###: '''''< | ###: '''''<domain.com> = <DOMAIN.COM>'''''</tt> | ||
==Configure Samba== | ==Configure Samba== |
Revision as of 17:20, 21 July 2016
Install Required Packages
- RHEL6: Install the following packages.
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7: Install the following packages
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU: Install the following packages
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
_kerberos._tcp.<domain in lowercase> service = 0 100 88 dc1.<domain.com>.- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc2.<domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc3.<domain.com>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc4.<domain.com>.
- # nslookup -type=SRV _kerberos._tcp.<domain.com>
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
[libdefaults]- default_realm = <DOMAIN.COM>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
[realms]- <DOMAIN.COM> = {
- kdc = dc1.<DOMAIN.COM>
- kdc = dc2.<DOMAIN.COM>
- kdc = dc3.<DOMAIN.COM>
- kdc = dc4.<DOMAIN.COM>
- admin_server = <DOMAIN.COM>
- }
[domain_realm]- .<domain.com> = <DOMAIN.COM>
- <domain.com> = <DOMAIN.COM>
Configure Samba
- Create a backup of the /etc/samba/smb.conf file.
- # cp -p /etc/samba/smb.conf{,.bak}
- Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
- [global]
- workgroup = <DOMAIN>
- ; server string = Samba Server Version %v
- .
- .
- ; security = user
- ; passdb backend = tdbsam
- .
- .
- client signing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- security = ads
- passdb backend = tdbsam
- realm = <DOMAIN.COM>
- .
- .
- ; load printers = yes
- ; cups options = raw
- .
- .
- ;[printers]
- ; comment = All Printers
- ; path = /var/spool/samba
- ; browseable = no
- ; guest ok = no
- ; writable = no
- ; printable = yes
- Verify the Samba configuration.
- # testparm
- The output should be similar to
- [global]
- workgroup = <AD DOMAIN minus top level domain>
- realm = <AD DOMAIN>
- security = ADS
- kerberos method = secrets and keytab
- log file = /var/log/samba/log.%m
- max log size = 50
- client signing = required
- idmap config * : backend = tdb
-
[homes] - comment = Home Directories
- read only = No
- browseable = No
Kerberos Ticket
- Obtain and verify a new ticket using the new Kerberos configuration.
- # kinit <admin account>
- Enter the password.
- # kinit <admin account>
- Verify the ticket
- ;# klist
- The output should be similar to:
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: <admin account>@<AD DOMAIN>
Valid starting Expires Service principal- 03/31/16 07:17:39 03/31/16 17:17:35 krbtgt/<AD DOMAIN>@<AD DOMAIN>
- renew until 04/07/16 07:17:39
- The output should be similar to:
- ;# klist