Ready to Start Your Career?

Kerberos Authentication on Linux

Tamas Szucs's profile image

By: Tamas Szucs

March 10, 2017

Description of the solution

Kerberos authentication can log in to the Linux host with Samba, Winbind and Kerberos client.

Configure Linux host

1. Install Kerberos client, Winbind, samba, sudo and ntp package:

  • Debian-like systems:
apt-get install krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind sudo ntp ntpdate
  • RedHat-like systems:
yum install krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir sudo net-tools ntp ntpdate

2. Set hostname:

hostname <name_of_localhost>echo <name_of_localhost> > /etc/hostname

3. Set time sync:

vi /etc/ntp.conf server <IP-address_of_NTP_server>ntpdate –d <IP-address_of_NTP_server>

4. Set domainname and DC server in KRB5:

  • Debian-like systems:
dpkg-reconfigure krb5-config
Default Kerberos version 5 realm: <Domainname>Add locations of default Kerberos servers to /etc/krb5.conf: YesKerberos servers for your realm: <IP-address_of_DC_sserveres>Administrative server for your Kerberos realm: <IP-address_of_admin_server>

  • Debian vagy RedHat-like systems:

vi /etc/krb5.conf [libdefaults] default_realm = <domainname> ... [realms] <domainname> = { kdc = <IP-address_of_DC_server> admin_server = <IP-address_of_admin_server> } ... [domain_realm] <.domainname> = <DOMAINNAME> <domainname> = <DOMAINNAME>...

5. Configure workgroup, domainname and Winbind, and share of home directories in SAMBA:

vi /etc/samba/smb.conf [global] workgroup = <name_of_workgroup_or_organization> security = ads realm = domainname netbios name = <name_of_localhost> idmap config * : backend = rid idmap config * : range = 5000-100000000 idmap config * : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes allow trusted domains = no client use spnego = yes auth methods = winbind ... [homes] comment = Home Directories read only = no browseable = no valid users = %S create mask = 0700 directory mask = 0700 ...

6. Test Samba file:

testparm

7. Add Winbind name search:

  • Debian-like systems:
vi /etc/nsswitch.conf ... passwd: compat winbind group: compat winbind shadow: compat winbind ...
  • RedHat-like systems:
vi /etc/nsswitch.conf ... passwd: files sss winbind group: files sss winbind shadow: files sss winbind ...

8. Enable sudo command to AD groups or users:

vi /etc/sudoers ... %<Name_of_AD_group_or_user_1> ALL=(ALL:ALL) ALL %<Name_of_AD_group_or_user_2> ALL=(ALL:ALL) ALL ...

9. Configure atomatic create of AD users home directories in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-session ... session required pam_mkhomedir.so umask=0077 skel=/etc/skel

  • RedHat-like systems:

authconfig --update --enablemkhomedir

10. Configure local and AD autentication in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-auth ... #auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=3 default=ignore] pam_localuser.so try_first_pass #auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=1 default=ignore] pam_winbind.so require_membership_of=„%<Name_of_AD_group_or_user_1>,„%<Name_of_AD_group_or_user_2> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug ...

  • RedHat-like systems:

vi /etc/pam.d/system-auth ... auth sufficient pam_localuser.so try_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so ...vi /etc/pam.d/sshd auth include system-auth ...vi /etc/security/pam_winbind.conf [global] debug = yes debug_state = yes cached_login = yes krb5_auth = yes require_membership_of = „Name_of_AD_group_or_user_1”,”Name_of_AD_group_or_user_2”

11. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start

  • RedHat-like systems:

systemctl restart winbindsystemctl restart smbsystemctl enable winbind

12. Testing of Kerberos ticket create:

kinit -p <AD_user>klistkdestroy

13. Add Linux host to AD with AD admin user:

net ads join -U <AD_admin_user>

14. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start

  • RedHat-like systems:

systemctl restart winbindsystemctl restart smbsystemctl enable winbind

15. Login test of local and AD authentication, and authentication log check:

tail -f /var/log/auth.log

16. If error, then test of Kerberos, Winbind and nsswitch:

  • Test AD users and groups viewing with Winbind:

wbinfo -uwbinfo -g

  • Test AD users and groups viewing with nsswitch:

getent passwdgetent group

Restore Kerberos authentication to default authentication

1. Remove Kerberos client, Winbind and Samba packages:

  • Debian-like systems:
apt-get purge krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind
  • RedHat-like systems:
yum remove krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir

2. Restore PAM:

  • Debian-like systems:
pam-auth-update --force
  • RedHat-like systems:
Restore files in /etc/pam.d/. 
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry