LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-31-2015, 04:25 AM   #1
sang150590@gmail.com
LQ Newbie
 
Registered: Jul 2015
Posts: 3

Rep: Reputation: Disabled
Linux authentication with LDAP kerberos


I have configured my RHEL linux machine to be authenticated against active directory without being joining it to domain, using nss-pam-ldapd pam_ldap samba-winbind openldap-devel krb5-devel.
I am able to login on linux machines using active directory accounts, but I am not sure if the kerberos is being used during authentication, because I dont see the TGT in linux machine's local cache, but when I use "kinit username" and then check with klist I do see the TGT.
I am little confused, on how to confirm if the kerberos is being used or not.

Thanks,
Subodh.
 
Old 08-01-2015, 01:53 AM   #2
paul2015
Member
 
Registered: Apr 2015
Distribution: CentOS Fedora
Posts: 148

Rep: Reputation: 4
if kinit and klist are working and you see tgt, it means kerberod is working. creste a new test account and try to authenticate, if it is successful that will be another check kerberos been used.
 
1 members found this post helpful.
Old 08-27-2015, 10:28 AM   #3
sang150590@gmail.com
LQ Newbie
 
Registered: Jul 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi, thanks, I checked with tcpdump command while logging into it with domain account from another console and I do see traffic on Kerberos port 88, so I think this confirms that its using Kerberos during authentication.
 
Old 08-27-2015, 02:26 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Did you remember to get a host ticket for local authentication use? Without it, Kerberos logins can't work, but kinit and such will work - after logging in. The reason it is needed is that it cannot authenticate the KDC without one.
 
1 members found this post helpful.
Old 08-28-2015, 05:06 AM   #5
sang150590@gmail.com
LQ Newbie
 
Registered: Jul 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi thanks, yes ideally Linux box should have a ticket in its cache, after logging in with domain account, I don't see any ticket in local cache when I check with klist command.
But when I checked with "tcpdump -I eth1 port 88", I get below response.
16:16:11.668583 IP MyLinuxBox.46509 > MyWindowsDomainController.kerberos: v5
16:16:11.669810 IP MyWindowsDomainController.kerberos > MyLinuxBox.46509:
so I was thinking how is it happening.
 
Old 08-28-2015, 07:50 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
It is possible if you have a keytab, AND the login process is not configured to save the TGT.

The way the login is supposed to work is that the users ticket is just a byproduct. It isn't the goal.

A kerberos login works by:

0. get the users login identity (and sometimes principle name - otherwise use the login identity)
1. Asking for a TGT from the KDC (which requires the users password to decrypt).
2. Getting a service ticket for the local machine
3. Decrypting the service ticket using the host keytab
4. if steps 1-3 succeed setup the users session
5. save credentials

The users TGT (and the cache) are the byproduct of step 1. It requires code to save the ticket (it is stored in a memory resident cache for use in all three steps). Only after step 3 is completed (and the user account is set up) can the users credentials be copied to a user accessible cache. Step 5 is optional.

At this point it depends on the utility you are using to login (it may not allow saving), and the /etc/krb5.conf file:

http://www.eyrie.org/~eagle/software.../pam-krb5.html

I'm assuming you are using PAM for the login. Some systems (such as RH and RH derived systems) put the users cache in odd places (/run/user/<uid>/...) so things have to be compiled appropriately, and the users KRB5CCNAME has to be set by PAM. (see the reference file for how to retain cache entries...)

Last edited by jpollard; 08-28-2015 at 07:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSSD Kerberos/LDAP authentication issues with AD turbosur Linux - Networking 0 11-19-2014 01:45 PM
Linux LDAP vs. Kerberos Authentication with Microsoft ActiveDirectory geek.ksa Linux - Security 4 11-22-2009 05:29 PM
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 02:41 PM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 2 06-13-2007 10:29 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 03:22 PM


All times are GMT -5. The time now is 10:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration