Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello all,
I have been grappling with the following issue and there doesn't seem to be any light at the end of the tunnel.
Background:
Attempting to implement a single sign on functionality between Linux (CENTOS) client servers and Windows Active Directory via the use of the Windows KDC (Kerberos Key Distribution Center)
The authentication works. Accounts that are located in Active Directory are able to authenticate (and home directories are created for those users) themselves onto the Linux Clients. All the correct packages are installed on the linux hosts, most noteably, OpenLDAP, Samba, OpenSSH and Krb5 (Kerberos version 5). See below for the cofigurations.
Attempting to implement single sign on via kerberos. The idea behind this is as follows: Once a user authenticates himself agiant AD and generates a TGT(Ticket granting Ticket) via Kerberos, he should be able to use a service ticket to bypass password authentication on machines that are part of the same AD/KDC domain/realm.
SSH is the ONLY method of establishing connections to services and hosts in this enviornment.
The problem is the follows: (1) Once a user authenticates onto the CentOS client a TGT is generated. Then the same user attempts to SSH into a different server (CentOS Client) host, the user is STILL prompted for a password. This SHOULD NOT be the case since the user has authenticated himself to AD via OpenLDAP over kerberos.
In order to "Kerberize" the SSH service, meaning, in order to make ssh use kerberos authentication as opposed to password authentication, the approprite falgs have been set within the sshd_conf and ssh_conf files. We have done this.
The Windows Side:
When using a windows domain controller as the KDC for a mixed platfrom kerberos envionment, a method is needed to extract keys from the windows kdc into kettab entires for Unix hosts and services.
We have created a user account for the service (SSH) in active directory because AD does not handle Kerberos style username and instance principles format and we have generated a keytab file for the SSH service which was done using the KTPass utility within AD.
The KTPass program handles the mapping between the username and service principle name in the AD database and as mentioned before generates a keytab file that maps the host and the service.
Once we generate the keytab file we export it to the Linux host (CENTOS server) and attempt to SSH to another host. However, we are prompted for a password. That shouldn't be the case. The keytab file should allow SSH to use Kerbros authentication instead of password authentication
I wanted to know if there are ANY OTHER configurations that are needed to be made on the CentOS side in order for this to work. Any thoughts, comments, ideas would be helpful. Thank you all in advance.
[realms]
MYREALM.COM = {
kdc = Fxxxxxx.myrealm.com:88
kdc = Sxxxxxx.myrealm.com:88
admin_server = Fxxxxxxx.myrealm.com:749
}
[domain_realm]
.myrealm.com = MYREALM.COM
myrealm.com = MYREALM.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
autologin = true
forward = true
forwardable = true
}
-----------------------------------------------------------------
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files
#hosts: db files nisplus nis dns
hosts: files dns
#================================================================
# Under local RCS control
#================================================================
# $Source: /etc/RCS/ldap.conf,v $
# $Id: ldap.conf,v 1.2 2009/11/17 21:20:00 root Exp $
# $Date: 2009/11/17 21:20:00 $
#================================================================
# Epoch: 2009-11-17, jbowes (Taos Contractor) [ #:# ]
#================================================================
#================================================================
base dc=myrealm,dc=com
binddn CN=LDAPUser,CN=Users,DC=myrealm,DC=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw Str0ngPassw0rd
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn CN=LDAPUser,CN=Users,DC=myrealm,DC=com
#rootbinddn cn=myrealmldap,dc=myrealm,dc=com
scope base
timelimit 120
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Setup for Danger
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
pam_filter objectclass=User
ssl on
tls_cacert /etc/openldap/cacerts/certnew.pem
# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert
tls_key
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
----------------------------------------------------------
#======================= Global Settings =====================================
[global]
# ----------------------- Netwrok Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = MYWORKGROUP
server string = Fxxxxxxxxx.MYREALM.COM
security = ADS
idmap uid = 30000-30039
idmap gid = 30001-30009
template shell = /bin/bash
winbind use default domain = true
realm = MYREALM.COM
encrypt passwords = yes
#netbios name = machinename
password server = Fxxxxxxxx.myrealm.com
use kerberos keytab = true
interfaces = eth0 lo
hosts allow = 127. 192.168.12. 192.168.13.
In addition, the /etc/hosts and /etc/resolv.conf files are updated with the proper DNS information. Also the SSHD_CONF and the ssh_conf files have been updated with the proper Kerberos flags.
kbp: Running ssh in super verbosity didn't reavel anything but only the genric error about GSSPI: host not found in kerberos databse. After reviewing the contents of the krb.keytab shows that we do have the host priciple listed in the keytab file.
ssh -vvv
debug1: Next authentication method: gssapi-with-mic
Unspecified GSS failure + Server not found in Kerberos database
I didn't realize there was a pam_krb5 add-on that was reqired. But that makes sense. I 'll dig around and try to call the proper library files by using the pam_kr5. Having a mixed enviornement does posses a daunting task if you are short on time or have limited experiene with the Windows KDC funtionality. However, the biggest advantage I can see if the having a centrailized AD strucutre via LDAP is a lot simpler to administer than a OpenLDAP solution. It really depends on where you feel most comfortable.
I've spent most of my time as a Windows guy but started out doing other OSes and I think that LDAP and Kerberos are actually easier to admin on the Linux side...but you have to actually read the docs instead of "next, next next". There is a point where Linux does not scale down as easily though since it does take quite a while to understand what stuff like SPNs, UIDs, OIDs and DNs all mean.
The side of the shop is getting smaller though.Unless Microsoft starts integrating stuff like SCOMM into the OS they are going to be in trouble as a server OS. I said that to my MS rep when he came by to talk about Win7 licensing - which is what triggered looking into Linux as an alternative in the first place. I also asked when he thought Windows would start running on the Linux kernel but he didnt think that was funny.
back on topic, you may need to enable PAM in your SSH config as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.