Authenticating UNIX/Linux to Windows 2008R2. Part 4 : RHEL 6.0

-

Background

Continuation of setting up LDAP/Kerberos clients to use Windows 2008R2 Server as the "source of truth".

See the previous blog , for the steps for how Windows was set up.

Installation of RHEL6.0

    1. Create a Red Hat Linux 6 Kickstart configuration:
      install  text  reboot  cdrom  lang en_US.UTF-8  keyboard us  network --device eth0 --bootproto dhcp  rootpw password  firewall --disabled  authconfig --enableshadow --passalgo=sha512 --enablefingerprint  selinux --disabled  timezone --utc Australia/Melbourne  bootloader --location=mbr --driveorder=sda --append="crashkernel=auto crashkernel=auto rhgb quiet"  clearpart --all --initlabel --drives=sda  part /boot --fstype ext4 --size=500 --ondisk=sda  part pv.1 --grow --size=1 --ondisk=sda  volgroup vg_rhel6 --pesize=4096 pv.1  logvol / --fstype ext4 --name=lv_root --vgname=vg_rhel6 --grow -size=1024  logvol swap --name=lv_swap --vgname=vg_rhel6 --grow --size=1024 --maxsize=2048  %packages  @Base  @Core  @base  openldap-clients  sssd  sssd-client  krb5-workstation
    2. Save this file on a VFAT/FAT floppy disk as ks.cfg
    3. Create a Red Hat Linux 5 x64 VM, with the following configuration:
      1. Custom Config, VMware Workstation 6.5 compatible
      2. I will install the operating system later.
      3. Guest OS : Linux, Red Hat Enterprise Linux 5 64-bit (RHEL6 not listed yet)
      4. VM Name: "rhel6host1″
      5. 1 Processor, 1 Core per Processor
      6. 1024MB Memory
      7. Use Host-Only Networking
      8. IDE Controller type: ATAPI
      9. SCSI Controller type: LSI Logic
      10. Disk: Create a new virtual disk, SCSI, Maximum Disk size, 10GB, Store as Single File, rhel6host1.vmdk (on an NTFS filesystem).
      11. Insert the Red Hat installer CD (Red Hat 5 Update 6)
      12. Power on and Boot from CD.
      13. Enter the following command line arguments:
        linux ks=floppy://ks.cfg
      14. Install VMware Tools:
        # mount -o ro /dev/cdrom /mnt  # cp /mnt/VMware* /tmp  # umount /mnt  # cd /tmp  # tar xfz VMware*  # cd vmware-tools-distrib  # ./vmware-install.pl -d  # vmware-toolbox-cmd timesync enable  Enabled
      15. Reconfigure the VM to use static IP addresses, and set the hostname, and DNS parameters
        # system-config-network-tui  # service network restart

Plan of attack (in order):

    1. Get ldapsearch working with simple bind, unencrypted
    2. Configure LDAP with sssd
    3. Verify LDAP works with getent(1), id(1), etc
    4. Export the Root CA cert from Windows to UNIX
    5. Check the CA cert works with OpenSSL
    6. Import the CA cert
    7. Get LDAPS working with ldapsearch
    8. Change sssd to use LDAPS rather than LDAP
    9. Verify Kerberos works: Initially, without a host principal (krb5.keytab)
    10. Configure SSS to use Kerberos (edit /etc/sssd/sssd.conf)
    11. Configure PAM to use SSS
    12. Verify that services like login can use kerberised IDs and that the password works
    13. Create a host principal keytab in Windows. Import it into UNIX.
    14. Verify that kinit -k works
    15. Edit /etc/krb5/krb5.conf to include "verify_ap_req_nofail = true" in the [libdefaults] section. This will secure the UNIX box to prove it is talking with the bonefide KDC.
    16. Get Single-Sign-On working

1. Ldapsearch, unencrypted

ldapsearch on Linux is very similar but not identical to Solaris. Some of the command line options are subtly different. (eg the -x flag is required to use simple authentication, and URIs are supported)

Using the simple bind user, verify that lookups can be done using unencrypted LDAP. Not only will this return a record, but will also give the correct attribute name:

# ldapsearch -v -x -H ldap://adserver -D "CN=ldapsearch,CN=Users,DC=example,DC=com" \  -b "DC=example,DC=com" -w ld@p53arch -s sub "cn=unix1"  ldap_initialize( ldap://adserver )  filter: cn=unix1  requesting: All userApplication attributes  # extended LDIF  #  # LDAPv3  # base <DC=example,DC=com> with scope subtree  # filter: cn=unix1  # requesting: ALL  #    # unix1, UNIX, example.com  dn: CN=unix1,OU=UNIX,DC=example,DC=com  objectClass: top  objectClass: person  objectClass: organizationalPerson  objectClass: user  cn: unix1  distinguishedName: CN=unix1,OU=UNIX,DC=example,DC=com  instanceType: 4  whenCreated: 20110809102742.0Z  whenChanged: 20110810132335.0Z  uSNCreated: 20816  memberOf: CN=unixgrp1,OU=UNIX,DC=example,DC=com  uSNChanged: 21194  name: unix1  objectGUID:: 8dUSWOctkEaf5x7FkpXrgw==  userAccountControl: 512  badPwdCount: 0  codePage: 0  countryCode: 0  badPasswordTime: 129574586131856092  lastLogoff: 0  lastLogon: 129574589801917979  pwdLastSet: 129574562159321288  primaryGroupID: 513  objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaUAQAAA==  accountExpires: 9223372036854775807  logonCount: 72  sAMAccountName: unix1  sAMAccountType: 805306368  userPrincipalName: unix1@example.com  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com  dSCorePropagationData: 16010101000000.0Z  lastLogonTimestamp: 129574227701101793  uid: unix1  msSFU30Name: unix1  msSFU30NisDomain: example  uidNumber: 10000  gidNumber: 10000  unixHomeDirectory: /home/unix1  loginShell: /bin/sh    # search reference  ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com    # search reference  ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com    # search reference  ref: ldap://example.com/CN=Configuration,DC=example,DC=com    # search result  search: 2  result: 0 Success    # numResponses: 5  # numEntries: 1  # numReferences: 3

2. Configure LDAP with sssd, unencrypted

In RHEL 6, sssd is used to configure LDAP. For now, disable the auth_provider until LDAP is working. NB. With this, I have been unable to get secondary groups to work.

/etc/sss/sssd.conf:

[sssd]  config_file_version = 2  reconnection_retries = 3  sbus_timeout = 30  services = nss, pam  domains = EXAMPLE.COM    [nss]  filter_groups = root  filter_users = root  reconnection_retries = 3    [pam]  reconnection_retries = 3    [domain/EXAMPLE.COM]  description = LDAP domain with AD server  enumerate = false  min_id = 1  id_provider = ldap  ;;;; auth_provider = krb5  ldap_uri = ldap://adserver.example.com/  ldap_schema = rfc2307bis  ldap_user_search_base = dc=example,dc=com  ldap_group_search_base = dc=example,dc=com  ldap_default_bind_dn = CN=ldapsearch,CN=Users,DC=example,DC=com  ldap_default_authtok_type = password  ldap_default_authtok = ld@p53arch    ldap_user_object_class = user  ldap_user_name = sAMAccountName  ldap_user_uid_number = uidNumber  ldap_user_gid_number = gidNumber  ldap_user_home_directory = unixHomeDirectory  ldap_user_shell = loginShell  ldap_user_principal = userPrincipalName  ldap_user_member = msSFU30PosixMemberOf    ldap_group_object_class = group  ldap_group_name = sAMAccountName  ldap_group_gid_number = gidNumber  ldap_group_member = memberUid    ; THIS IS REQUIRED, BECAUSE BY DEFAULT IN WINDOWS, THE REALM NAME IS LOWERCASE  ldap_force_upper_case_realm = true

2. Configure /etc/nsswitch.conf

The following lines should be changed to use sss after files:

passwd:     files sss  shadow:     files sss  group:      files sss

3. Verify getent(1) works

Now, Lookups should work:

# service sssd start # getent group unixgrp1  unixgrp1:*:10000:unix1  # getent passwd unix1  unix1:*:10000:10000:unix1:/home/unix1:/bin/sh  # id -a unix1  uid=10000(unix1) gid=10000(unixgrp1) groups=10000(unixgrp1)

4. Import the root CA Certificates

The .PEM format rootCA.cer file should be copied (probably with psftp.exe) to the RedHat system. For the purposes of this instruction it is saved in /root/rootCA.cer.

5. Verify that the certificate file is ok with OpenSSL

# openssl x509 -in /root/rootCA.cer -subject -issuer -purpose  subject= /DC=com/DC=example/CN=example-ADSERVER-CA  issuer= /DC=com/DC=example/CN=example-ADSERVER-CA  Certificate purposes:  SSL client : Yes  SSL client CA : Yes  SSL server : Yes  SSL server CA : Yes  Netscape SSL server : No  Netscape SSL server CA : Yes  S/MIME signing : Yes  S/MIME signing CA : Yes  S/MIME encryption : No  S/MIME encryption CA : Yes  CRL signing : Yes  CRL signing CA : Yes  Any Purpose : Yes  Any Purpose CA : Yes  OCSP helper : Yes  OCSP helper CA : Yes  -----BEGIN CERTIFICATE-----  MIIDczCCAlugAwIBAgIQGGdCEtXMnZ9CxrbAG8zNEjANBgkqhkiG9w0BAQUFADBM  MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEc  MBoGA1UEAxMTZXhhbXBsZS1BRFNFUlZFUi1DQTAeFw0xMTA4MDkwOTI0NTBaFw0x  NjA4MDkwOTM0NDlaMEwxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/Is  ZAEZFgdleGFtcGxlMRwwGgYDVQQDExNleGFtcGxlLUFEU0VSVkVSLUNBMIIBIjAN  BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoeQeyJYdYiftNx0g2GOlDxWxo2ah  qsC5h7ryVEwr5BHv39aD33l+DZCHIKWRJA2DQk/xmyzElQhIAI1A7ikR9pPDegVP  eKNhl1n/I5KHrzWhJFCaMYcCmwf6H0X7HaYtDw2Ya2Qv9+s31yIXInA6b49vpXF/  /lkh8NeAh4lHCFBEOzLEaV9Oks6B+ZoSk47PWOFObbafIOY23keabekVn6DFekG5  h+WqihGaVjL7kpSJixyTDcY1WGAaBmiqPgVeCoNsMDIvdrflRIEO5yirQIGayzYN  IuW3HhiiuWkH48iwzcScKc0YMVTnRve5sJ6aQVEiUXvFaw8LDcX628upyQIDAQAB  o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3ijY  Of/XO1EuaGxon2AQGtZ1AGUwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF  BQADggEBAD6Hy40U1CFMDRQ1lQxJsShFc1VqPION/49OYxM7NN07hLbC07VYwNdH  OpK0GvfAL8EExF5yX07NxTWZu1An8eZy1NzhSEdIsEo4wwMlej68DUuZaUK5azV9  EAPcVwQtWVqCowRNWR35VcSx8pYLxyCthNMj9uNjiGgXH7rgSf61JGRkzwnTEkUc  woi84vMGGVGqKNAqm0n0hlJgYGWmVKWfqs8GFwXP99VNTdNJqiJp4EmFiZyeZCRw  m7zKVvmPgQ7l9gq1zNBQ3E4eCj7gtvTKfJDk35uxk3IdOuWaKnDLrtHstb+SWkry  FIes6uSRw9XMupknrR3Og0MHXbx+UZU=  -----END CERTIFICATE-----

The CA root certificate can be tested as follows:

# openssl s_client -connect adserver.example.com:636 -CAfile /etc/openldap/cacerts/rootCA.cer  < /dev/null  CONNECTED(00000003)  depth=1 /DC=com/DC=example/CN=example-ADSERVER-CA  verify return:1  depth=0 /CN=adserver.example.com  verify return:1  ---  Certificate chain   0 s:/CN=adserver.example.com     i:/DC=com/DC=example/CN=example-ADSERVER-CA  ---  Server certificate  -----BEGIN CERTIFICATE-----  MIIF7jCCBNagAwIBAgIKEbgl6gAAAAAAAjANBgkqhkiG9w0BAQUFADBMMRMwEQYK  CZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEcMBoGA1UE  AxMTZXhhbXBsZS1BRFNFUlZFUi1DQTAeFw0xMTA4MDkxNzAyMTRaFw0xMjA4MDgx  NzAyMTRaMB8xHTAbBgNVBAMTFGFkc2VydmVyLmV4YW1wbGUuY29tMIIBIjANBgkq  hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA16Aa3EZH2wW+6N0nWJ8oQvpsgha3AsBS  +iGuuMb9zMj+w5Ulj7tMO1EBQJNJ9Nmlk0kbjbs4+hLD+Jwknxzy4WXSN3yOVIpe  7f/2WJ2a35BXb0AHoMUrtk0UBNhBJgCN3ujxrmm5wWIIKIy9QhqMIFrP9O37XVdX  j6bWRB/5g3qIvpPdsrjizFcVuSx9fZ6apYwsE7E8sDV7IYHKZP7N12wKHXqgxVhQ  BTATusYvyfbLTDoNL/eg3kXcnmZefABhqjJh+Id9peAKTokhyC6KpYnmElm/4gzd  dJ2B4UIQfaL0iHUq5qB5i69jTR5hfQMJ6vHqDdG60e32Ga6oHYHeIwIDAQABo4IC  /TCCAvkwLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBs  AGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8E  BAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcN  AwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsG  CWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUMF1hyvrm  NUeMP6yIPklWxNlUEpQwHwYDVR0jBBgwFoAU3ijYOf/XO1EuaGxon2AQGtZ1AGUw  gdIGA1UdHwSByjCBxzCBxKCBwaCBvoaBu2xkYXA6Ly8vQ049ZXhhbXBsZS1BRFNF  UlZFUi1DQSxDTj1hZHNlcnZlcixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy  dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1leGFtcGxlLERD  PWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9  Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcUGCCsGAQUFBwEBBIG4MIG1MIGyBggrBgEF  BQcwAoaBpWxkYXA6Ly8vQ049ZXhhbXBsZS1BRFNFUlZFUi1DQSxDTj1BSUEsQ049  UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJh  dGlvbixEQz1leGFtcGxlLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0  Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBABgNVHREEOTA3oB8GCSsGAQQB  gjcZAaASBBDVqLtSbD/oR6YHGq+PNID0ghRhZHNlcnZlci5leGFtcGxlLmNvbTAN  BgkqhkiG9w0BAQUFAAOCAQEAM7RqqBlu7t4fcqECr2wo4JxNhcvx3X/neTQwgGKA  s0ORxikhEw8/MofzzTOzcABx8mlG2XcjBjOjlTq3ezUqgVQB3SggqM8R3btlVCt0  1CYCKxb7g1w+IOyeU/LjXZhmk1lnPmysZgEkT1VfBx4xowHAmlZO48TcjhA/5+Fu  PcmeSXkGau20kFu11Y49aj5/sYGAK2WNgkDzCxo7vz/mSlyjEDFVT66NHVl3juVF  Y/Ymj0GPsW9Nh/3/y2VYKJFxVIPGEHSH9eSvtPUu++TgtNkxfKxPgjOu0vTIKisy  RR6i66q5Y+szSHxpXvW0StmvBZskbJmuSnQC6QdnSvoZVw==  -----END CERTIFICATE-----  subject=/CN=adserver.example.com  issuer=/DC=com/DC=example/CN=example-ADSERVER-CA  ---  Acceptable client certificate CA names  /DC=com/DC=example/CN=example-ADSERVER-CA  /CN=adserver.example.com  /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority  /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority  /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority  /CN=NT AUTHORITY  ---  SSL handshake has read 2140 bytes and written 459 bytes  ---  New, TLSv1/SSLv3, Cipher is AES128-SHA  Server public key is 2048 bit  Secure Renegotiation IS NOT supported  Compression: NONE  Expansion: NONE  SSL-Session:      Protocol  : TLSv1      Cipher    : AES128-SHA      Session-ID: 0908000095B93DAB72C80378CB4A9A87C116CBFA47B3046953BDC5D0A123FBF9      Session-ID-ctx:      Master-Key: 605B7D5B698F92AE6350A8D98A9FFFBB3C19688060100C899F6447F097B2BEB132687079F0D05092612F462E458EDCA8      Key-Arg   : None      Krb5 Principal: None      Start Time: 1313109018      Timeout   : 300 (sec)      Verify return code: 0 (ok)  ---  DONE

6. Import the Root CA Certificate

The certificate should be copied into /etc/openldap/cacerts:

# cp /root/rootCA.cer /etc/openldap/cacerts  # cacertdir_rehash /etc/openldap/cacerts

7. Test ldapsearch works  with LDAPS

This line must be present in /etc/openldap/ldap.conf:

TLS_CACERTDIR /etc/openldap/cacerts

Now LDAPS searches can be performed:

# ldapsearch -v -x -H ldaps://adserver.example.com/ \  -D "CN=ldapsearch,CN=Users,DC=example,DC=com" -b "DC=example,DC=com" \  -w ld@p53arch -s sub "cn=unix1"  ldap_initialize( ldaps://adserver.example.com/ )  filter: cn=unix1  requesting: All userApplication attributes  # extended LDIF  #  # LDAPv3  # base <DC=example,DC=com> with scope subtree  # filter: cn=unix1  # requesting: ALL  #    # unix1, UNIX, example.com  dn: CN=unix1,OU=UNIX,DC=example,DC=com  objectClass: top  objectClass: person  objectClass: organizationalPerson  objectClass: user  cn: unix1  distinguishedName: CN=unix1,OU=UNIX,DC=example,DC=com  instanceType: 4  whenCreated: 20110809102742.0Z  whenChanged: 20110810132335.0Z  uSNCreated: 20816  memberOf: CN=unixgrp1,OU=UNIX,DC=example,DC=com  uSNChanged: 21194  name: unix1  objectGUID:: 8dUSWOctkEaf5x7FkpXrgw==  userAccountControl: 512  badPwdCount: 0  codePage: 0  countryCode: 0  badPasswordTime: 129574586131856092  lastLogoff: 0  lastLogon: 129574589801917979  pwdLastSet: 129574562159321288  primaryGroupID: 513  objectSid:: AQUAAAAAAAUVAAAA9P+gsh3KJO48P5XaUAQAAA==  accountExpires: 9223372036854775807  logonCount: 72  sAMAccountName: unix1  sAMAccountType: 805306368  userPrincipalName: unix1@example.com  objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com  dSCorePropagationData: 16010101000000.0Z  lastLogonTimestamp: 129574227701101793  uid: unix1  msSFU30Name: unix1  msSFU30NisDomain: example  uidNumber: 10000  gidNumber: 10000  unixHomeDirectory: /home/unix1  loginShell: /bin/sh    # search reference  ref: ldaps://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com    # search reference  ref: ldaps://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com    # search reference  ref: ldaps://example.com/CN=Configuration,DC=example,DC=com    # search result  search: 2  result: 0 Success    # numResponses: 5  # numEntries: 1  # numReferences: 3  #

NB. Fully qualified host names must be used, since those names are in ther certifcate. Short host names won't work:

# ldapsearch -v -x -H ldaps://adserver/ \  -D "CN=ldapsearch,CN=Users,DC=example,DC=com" -b "DC=example,DC=com" \  -w ld@p53arch -s sub "cn=unix1"  ldap_initialize( ldaps://adserver:636/??base )  ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

8. Change /etc/sss/sssd.conf to use LDAPS rather than LDAP

We already know that LDAP works. We need to change the mechanism from simple to simple over TLS. Again we also must be careful to use the FQDN:

Change/Add these lines:

ldap_uri = ldaps://adserver.example.com/  tls_cacertdir = /etc/openldap/cacerts  ldap_tls_reqcert = demand

Restart SSSD:

# # service sssd restart Stopping sssd:                                             [  OK  ] Starting sssd:                                             [  OK  ]

We can verify that lookups are now working:

# getent passwd unix1  unix1:x:10000:10000:unix1:/home/unix1:/bin/sh  # getent group unixgrp1  unixgrp1:*:10000:  # id -a unix1  uid=10000(unix1) gid=10000(unixgrp1) groups=10000(unixgrp1)

And moreover, a tcpdump of port 389 will show no unencrypted traffic being used.

9. Verify that Kerberos works

Edit the kerberos krb5.conf file to specify the domain and REALM:

/etc/krb5.conf:

[logging]   default = FILE:/var/log/krb5libs.log   kdc = FILE:/var/log/krb5kdc.log   admin_server = FILE:/var/log/kadmind.log    [libdefaults]   default_realm = EXAMPLE.COM   dns_lookup_realm = false   dns_lookup_kdc = false   ticket_lifetime = 24h   renew_lifetime = 7d   forwardable = true    [realms]   EXAMPLE.COM = {    kdc = adserver.example.com    admin_server = adserver.example.com   }    [domain_realm]   .example.com = EXAMPLE.COM   example.com = EXAMPLE.COM

We can use a user's ID and password to verify that kerberos works for user principals:

# kinit unix1@EXAMPLE.COM  Password for unix1@EXAMPLE.COM:  # klist -e  Ticket cache: FILE:/tmp/krb5cc_0  Default principal: unix1@EXAMPLE.COM    Valid starting     Expires            Service principal  08/11/11 17:00:17  08/12/11 03:00:25  krbtgt/EXAMPLE.COM@EXAMPLE.COM          renew until 08/18/11 17:00:17, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

/etc/krb5.conf must be edited to specify the default realm. And "verify_ap_req_nofail = false" can be added to ignore missing host principals (/etc/krb5/krb5.keytab) until they have been set up.

Now for this to be useful, PAM must be configured to use kerberos

10. Configure SSS to use Kerberos

NB. This is really annoying. Whilst commands like "kinit, klist" use /etc/krb5.conf, SSSD on the other hand wants this within /etc/sssd/sssd.conf.

/etc/sssd/sssd.conf:

...  auth_provider = krb5  chpass_provider = krb5  krb5_realm = EXAMPLE.COM  krb5_kdcip = 192.168.102.10  ...

11. Configure PAM to use SSS

Linux PAM is divided into multiple files.

Edit /etc/pam.conf to add the pam_krb5.so.1 library file at these locations:

/etc/pam.d/system-auth-ac

#%PAM-1.0  # This file is auto-generated.  # User changes will be destroyed the next time authconfig is run.  auth        required      pam_env.so  auth        sufficient    pam_fprintd.so  auth        sufficient    pam_unix.so nullok try_first_pass  auth        requisite     pam_succeed_if.so uid >= 500 quiet  auth        sufficient    pam_sss.so use_first_pass  auth        required      pam_deny.so    account     required      pam_unix.so  account     sufficient    pam_localuser.so  account     sufficient    pam_succeed_if.so uid < 500 quiet  account     [default=bad success=ok user_unknown=ignore] pam_sss.so  account     required      pam_permit.so    password    requisite     pam_cracklib.so try_first_pass retry=3 type=  password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok  password    sufficient    pam_sss.so use_authtok  password    required      pam_deny.so    session     optional      pam_keyinit.so revoke  session     required      pam_limits.so  session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid  session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077  session     optional      pam_sss.so  session     required      pam_unix.so

/etc/pam.d/password-auth-ac

#%PAM-1.0  # This file is auto-generated.  # User changes will be destroyed the next time authconfig is run.  auth        required      pam_env.so  auth        sufficient    pam_unix.so nullok try_first_pass  auth        requisite     pam_succeed_if.so uid >= 500 quiet  auth        sufficient    pam_sss.so use_first_pass  auth        required      pam_deny.so    account     required      pam_unix.so  account     sufficient    pam_localuser.so  account     sufficient    pam_succeed_if.so uid < 500 quiet  account     [default=bad success=ok user_unknown=ignore] pam_sss.so  account     required      pam_permit.so    password    requisite     pam_cracklib.so try_first_pass retry=3 type=  password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok  password    sufficient    pam_sss.o use_authtok  password    required      pam_deny.so    session     optional      pam_keyinit.so revoke  session     required      pam_limits.so  session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid  session     required      pam_unix.so  session     optional      pam_sss.so

12. Verifying Services

Because the pam_mkhomedir.so library is included, the user's home directory should be created automatically. Then check all the authentication methods (eg console access, ssh, etc)

Login:

Red Hat Enterprise Linux Server release 6.0 (Santiago)  Kernel 2.6.32-71.el6.x86_64 on an x86_64    rhel6host1 login: unix1  Password:  Creating directory '/home/unix1'.  Last login: Thu Aug 11 17:29:08 from localhost.localdomain  -sh-3.2$

SSH:

# ssh unix1@localhost  The authenticity of host 'localhost (::1)' can't be established.  RSA key fingerprint is 15:f2:5b:03:8e:38:fc:d0:ab:4b:06:89:ff:44:54:9b.  Are you sure you want to continue connecting (yes/no)? yes  Warning: Permanently added 'localhost' (RSA) to the list of known hosts.  unix1@localhost's password:  Last login: Thu Aug 11 17:31:22 2011 from localhost.localdomain  -sh-4.1$ exit  logout  Connection to localhost closed.

Changing Password:

-sh-4.1$ passwd  Changing password for user unix1.  Current Password:  New password:  Retype new password:  passwd: all authentication tokens updated successfully.

13. Create a host principal keytab in Windows.

To create a host keytab in Windows, first a computer account must exist (this was created in the previous blog). Then create a host principal mapped to that user.

NB. Keytabs need to use the fully qualified domain name.

NB. Keytabs must use encryption which is supported by both ends.

Suggestion: Either use /crypto all, or a known cryptosystem which is supported (eg AES256-SHA1).

There is a Security Policy, which has a checkbox list of all the Supported types:

Security Settings -> Local Policies -> Security Options -> Network Security: Configure encryption types allowed for Kerberos
DES_CBC_CRC
DES_CBC_MD5
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future Encryption Types

eg (line split for easy reading)

C:\>ktpass /princ host/rhel6host1.example.com@EXAMPLE.COM \  /ptype KRB5_NT_PRINCIPAL /out C:\temp\rhel6host1.keytab /pass mypass \  /crypto AES256-SHA1 /mapuser EXAMPLE\rhel6host1  Targeting domain controller: adserver.example.com  Successfully mapped host/rhel6host1.example.com to RHEL6HOST1$.  WARNING: Account RHEL6HOST1$ is not a user account (uacflags=0x1021).  WARNING: Resetting RHEL6HOST1$'s password may cause authentication problems if R  HEL6HOST1$ is being used as a server.    Reset RHEL6HOST1$'s password [y/n]?  y  Password succesfully set!  WARNING: pType and account type do not match. This might cause problems.  Key created.  Output keytab to C:\temp\rhel6host1.keytab:  Keytab version: 0x502  keysize 90 host/rhel6host1.example.com@EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) v  no 3 etype 0x12 (AES256-SHA1) keylength 32 (0x9e2d5c7b1a6d18938d71a652144c33a64e  dd34c47382471a989621f40281dfd2)

This file can now be copied to /etc/krb5.keytab, and verified as follows:

# klist -ke  Keytab name: WRFILE:/etc/krb5.keytab  KVNO Principal  ---- --------------------------------------------------------------------------     3 host/rhel6host1.example.com@EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)  # kinit -k

If kinit doesn't complain, then principal keytab is working, however, this might not be the end of the story. If an encryption scheme is not allowed, the following message may occur:

Aug 11 11:09:22 localhost sshd[14627]: pam_krb5[14627]: TGT failed verification using keytab and key for 'host/rhel5host1.example.com@EXAMPLE.COM': Key table entry not found
Aug 11 11:09:22 localhost sshd[14627]: pam_krb5[14627]: authentication fails for 'unix1′ (unix1@EXAMPLE.COM): Authentication failure (Success)
Aug 11 11:09:24 localhost sshd[14627]: Failed password for unix1 from 127.0.0.1 port 45476 ssh2





Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more