Kerberos Authentication on Linux

March 10, 2017 | Views: 5580

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Description of the solution

Kerberos authentication can log in to the Linux host with Samba, Winbind and Kerberos client.

Configure Linux host

1. Install Kerberos client, Winbind, samba, sudo and ntp package:

  • Debian-like systems:
apt-get install krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind sudo ntp ntpdate
  • RedHat-like systems:
yum install krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir sudo net-tools ntp ntpdate

2. Set hostname:

hostname <name_of_localhost>
echo <name_of_localhost> > /etc/hostname

3. Set time sync:

vi /etc/ntp.conf
   server <IP-address_of_NTP_server>
ntpdate –d <IP-address_of_NTP_server>

4. Set domainname and DC server in KRB5:

  • Debian-like systems:
dpkg-reconfigure krb5-config

Default Kerberos version 5 realm: <Domainname>

Add locations of default Kerberos servers to /etc/krb5.conf: Yes

Kerberos servers for your realm: <IP-address_of_DC_sserveres>

Administrative server for your Kerberos realm: <IP-address_of_admin_server>

  • Debian vagy RedHat-like systems:

vi /etc/krb5.conf
   [libdefaults]
   default_realm = <domainname>
   ...
   [realms]
   <domainname> = {
   kdc = <IP-address_of_DC_server>
   admin_server = <IP-address_of_admin_server>
   }
   ...
   [domain_realm]
   <.domainname> = <DOMAINNAME>
   <domainname> = <DOMAINNAME>
...

5. Configure workgroup, domainname and Winbind, and share of home directories in SAMBA:

vi /etc/samba/smb.conf
   [global]
   workgroup = <name_of_workgroup_or_organization>
   security = ads
   realm = domainname
   netbios name = <name_of_localhost>
   idmap config * : backend = rid
   idmap config * : range = 5000-100000000
   idmap config * : base_rid = 0
   template shell = /bin/bash
   template homedir = /home/%D/%U
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind refresh tickets = yes
   allow trusted domains = no
   client use spnego = yes
   auth methods = winbind
   ...
   [homes]
   comment = Home Directories
   read only = no
   browseable = no
   valid users = %S
   create mask = 0700
   directory mask = 0700
   ...

6. Test Samba file:

testparm

7. Add Winbind name search:

  • Debian-like systems:
vi /etc/nsswitch.conf
   ...
   passwd:          compat winbind
   group:           compat winbind
   shadow:          compat winbind 
   ...
  • RedHat-like systems:
vi /etc/nsswitch.conf
   ...
   passwd:          files sss winbind
   group:           files sss winbind
   shadow:          files sss winbind
   ...

8. Enable sudo command to AD groups or users:

vi /etc/sudoers
   ...
   %<Name_of_AD_group_or_user_1> ALL=(ALL:ALL) ALL
   %<Name_of_AD_group_or_user_2> ALL=(ALL:ALL) ALL
   ...

9. Configure atomatic create of AD users home directories in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-session
   ...
   session required pam_mkhomedir.so umask=0077 skel=/etc/skel
  • RedHat-like systems:

authconfig --update --enablemkhomedir

10. Configure local and AD autentication in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-auth
   ...
   #auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
   auth [success=3 default=ignore] pam_localuser.so try_first_pass
   #auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
   auth [success=1 default=ignore] pam_winbind.so require_membership_of=„%<Name_of_AD_group_or_user_1>,„%<Name_of_AD_group_or_user_2> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug
   ...
  • RedHat-like systems:

vi /etc/pam.d/system-auth
   ...
   auth sufficient pam_localuser.so try_first_pass
   auth sufficient pam_winbind.so use_first_pass
   auth required pam_deny.so
   ...
vi /etc/pam.d/sshd
   auth include system-auth
   ...
vi /etc/security/pam_winbind.conf
   [global]
   debug = yes
   debug_state = yes
   cached_login = yes
   krb5_auth = yes
   require_membership_of = „Name_of_AD_group_or_user_1”,”Name_of_AD_group_or_user_2”

11. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
  • RedHat-like systems:

systemctl restart winbind
systemctl restart smb
systemctl enable winbind

12. Testing of Kerberos ticket create:

kinit -p <AD_user>
klist
kdestroy

13. Add Linux host to AD with AD admin user:

net ads join -U <AD_admin_user>

14. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
  • RedHat-like systems:

systemctl restart winbind
systemctl restart smb
systemctl enable winbind

15. Login test of local and AD authentication, and authentication log check:

tail -f /var/log/auth.log

16. If error, then test of Kerberos, Winbind and nsswitch:

  • Test AD users and groups viewing with Winbind:

wbinfo -u
wbinfo -g
  • Test AD users and groups viewing with nsswitch:

getent passwd
getent group

Restore Kerberos authentication to default authentication

1. Remove Kerberos client, Winbind and Samba packages:

  • Debian-like systems:
apt-get purge krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind
  • RedHat-like systems:
yum remove krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir

2. Restore PAM:

  • Debian-like systems:
pam-auth-update --force
  • RedHat-like systems:

Restore files in /etc/pam.d/.

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel