Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


Search this Thread
Old 07-26-2010, 01:10 AM   #1
LQ Newbie
Registered: Jul 2010
Location: Chicago, IL
Distribution: CentOS
Posts: 4

Rep: Reputation: 0
Question Kerberos: C entOS openLDAP Clients + Windows KDC

Hello all,
I have been grappling with the following issue and there doesn't seem to be any light at the end of the tunnel.

Attempting to implement a single sign on functionality between Linux (CENTOS) client servers and Windows Active Directory via the use of the Windows KDC (Kerberos Key Distribution Center)

The authentication works. Accounts that are located in Active Directory are able to authenticate (and home directories are created for those users) themselves onto the Linux Clients. All the correct packages are installed on the linux hosts, most noteably, OpenLDAP, Samba, OpenSSH and Krb5 (Kerberos version 5). See below for the cofigurations.

Attempting to implement single sign on via kerberos. The idea behind this is as follows: Once a user authenticates himself agiant AD and generates a TGT(Ticket granting Ticket) via Kerberos, he should be able to use a service ticket to bypass password authentication on machines that are part of the same AD/KDC domain/realm.

SSH is the ONLY method of establishing connections to services and hosts in this enviornment.

The problem is the follows: (1) Once a user authenticates onto the CentOS client a TGT is generated. Then the same user attempts to SSH into a different server (CentOS Client) host, the user is STILL prompted for a password. This SHOULD NOT be the case since the user has authenticated himself to AD via OpenLDAP over kerberos.

In order to "Kerberize" the SSH service, meaning, in order to make ssh use kerberos authentication as opposed to password authentication, the approprite falgs have been set within the sshd_conf and ssh_conf files. We have done this.

The Windows Side:

When using a windows domain controller as the KDC for a mixed platfrom kerberos envionment, a method is needed to extract keys from the windows kdc into kettab entires for Unix hosts and services.

We have created a user account for the service (SSH) in active directory because AD does not handle Kerberos style username and instance principles format and we have generated a keytab file for the SSH service which was done using the KTPass utility within AD.

The KTPass program handles the mapping between the username and service principle name in the AD database and as mentioned before generates a keytab file that maps the host and the service.

Once we generate the keytab file we export it to the Linux host (CENTOS server) and attempt to SSH to another host. However, we are prompted for a password. That shouldn't be the case. The keytab file should allow SSH to use Kerbros authentication instead of password authentication

I wanted to know if there are ANY OTHER configurations that are needed to be made on the CentOS side in order for this to work. Any thoughts, comments, ideas would be helpful. Thank you all in advance.

# $Source: /etc/RCS/krb5.conf,v $
# $Id: krb5.conf,v 1.1 2009/11/17 22:33:09 root Exp $
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm =
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
# clockskew = 3000

kdc =
kdc =
admin_server =
[domain_realm] = MYREALM.COM = MYREALM.COM
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
autologin = true
forward = true
forwardable = true
# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Legal entries are:
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files
#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

#Point to the domain controllers


# Under local RCS control
# $Source: /etc/RCS/ldap.conf,v $
# $Id: ldap.conf,v 1.2 2009/11/17 21:20:00 root Exp $
# $Date: 2009/11/17 21:20:00 $
# Epoch: 2009-11-17, jbowes (Taos Contractor) [ #:# ]
base dc=myrealm,dc=com

binddn CN=LDAPUser,CN=Users,DC=myrealm,DC=com

# The credentials to bind with.
# Optional: default is no credential.
bindpw Str0ngPassw0rd
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn CN=LDAPUser,CN=Users,DC=myrealm,DC=com
#rootbinddn cn=myrealmldap,dc=myrealm,dc=com

scope base

timelimit 120

# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

idle_timelimit 3600

pam_password ad

nss_base_passwd CN=Users,dc=myrealm,dc=com
nss_base_shadow CN=Users,dc=myrealm,dc=com
nss_base_group ou=Group,dc=myream,dc=com

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd$

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Setup for Danger
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup Group
pam_filter objectclass=User

ssl on

tls_cacert /etc/openldap/cacerts/certnew.pem

# Client certificate and key
# Use these, if your server requires client authentication.

# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
#======================= Global Settings =====================================


# ----------------------- Netwrok Related Options -------------------------
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
# server string is the equivalent of the NT Description field
# netbios name can be used to specify a server name not tied to the hostname
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well

workgroup = MYWORKGROUP
server string = Fxxxxxxxxx.MYREALM.COM
security = ADS
idmap uid = 30000-30039
idmap gid = 30001-30009
template shell = /bin/bash
winbind use default domain = true
encrypt passwords = yes
#netbios name = machinename
password server =
use kerberos keytab = true
interfaces = eth0 lo
hosts allow = 127. 192.168.12. 192.168.13.

In addition, the /etc/hosts and /etc/resolv.conf files are updated with the proper DNS information. Also the SSHD_CONF and the ssh_conf files have been updated with the proper Kerberos flags.
Old 07-27-2010, 06:37 PM   #2
Senior Member
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Try using 'ssh -v' (up to 3 'v's can be used for more detail) .. maybe your keytab isn't being generated correctly.

<edit>You can test your keytab file with 'kinit -k ...'</edit>

Last edited by kbp; 07-27-2010 at 06:40 PM.
Old 07-29-2010, 10:15 AM   #3
LQ Newbie
Registered: Jul 2008
Posts: 6

Rep: Reputation: 0
Have you changed your /etc/pam.d/system-auth to allow Kerberos as a valid authentication source?

I am interested in any results you get, I'm trying to do something similar, although I am not sure I want to keep the Windows DC as my KDC.
Old 07-30-2010, 03:02 PM   #4
LQ Newbie
Registered: Jul 2010
Location: Chicago, IL
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
see below.

Last edited by najeebs; 07-30-2010 at 03:08 PM.
Old 07-30-2010, 03:07 PM   #5
LQ Newbie
Registered: Jul 2010
Location: Chicago, IL
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
kbp: Running ssh in super verbosity didn't reavel anything but only the genric error about GSSPI: host not found in kerberos databse. After reviewing the contents of the krb.keytab shows that we do have the host priciple listed in the keytab file.

ssh -vvv
debug1: Next authentication method: gssapi-with-mic
Unspecified GSS failure + Server not found in Kerberos database

3 dk21$/
Old 07-30-2010, 04:56 PM   #6
LQ Newbie
Registered: Jul 2010
Location: Chicago, IL
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: 0

I didn't realize there was a pam_krb5 add-on that was reqired. But that makes sense. I 'll dig around and try to call the proper library files by using the pam_kr5. Having a mixed enviornement does posses a daunting task if you are short on time or have limited experiene with the Windows KDC funtionality. However, the biggest advantage I can see if the having a centrailized AD strucutre via LDAP is a lot simpler to administer than a OpenLDAP solution. It really depends on where you feel most comfortable.
Old 08-02-2010, 06:33 PM   #7
LQ Newbie
Registered: Jul 2008
Posts: 6

Rep: Reputation: 0
I've spent most of my time as a Windows guy but started out doing other OSes and I think that LDAP and Kerberos are actually easier to admin on the Linux side...but you have to actually read the docs instead of "next, next next". There is a point where Linux does not scale down as easily though since it does take quite a while to understand what stuff like SPNs, UIDs, OIDs and DNs all mean.

The side of the shop is getting smaller though.Unless Microsoft starts integrating stuff like SCOMM into the OS they are going to be in trouble as a server OS. I said that to my MS rep when he came by to talk about Win7 licensing - which is what triggered looking into Linux as an alternative in the first place. I also asked when he thought Windows would start running on the Linux kernel but he didnt think that was funny.

back on topic, you may need to enable PAM in your SSH config as well.


kerberos, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenLDAP+Samba for authentication of both linux and windows clients Blue_Ice Linux - Server 24 07-02-2010 05:17 AM
[SOLVED] Kerberos (MIT) clients cannot find administrative server through DNS. MheAd Linux - Software 1 06-28-2010 08:23 AM
Active Directoy Kerberos migration into Linux KDC satish.lx Linux - Server 2 08-01-2009 07:31 PM
What is the configuration in OpenLDAP to use Kerberos ? guigonza Linux - Server 1 01-30-2009 01:14 PM
OpenLDAP authenticate against Kerberos? licht Linux - Server 0 07-31-2007 01:58 PM

All times are GMT -5. The time now is 12:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration