Ready to Start Your Career?

Kerberos Authentication on Linux

Tamas Szucss profile image
By: Tamas Szucs
March 10, 2017

kerberos

Description of the solution

Kerberos authentication can log in to the Linux host with Samba, Winbind and Kerberos client.

Configure Linux host

1. Install Kerberos client, Winbind, samba, sudo and ntp package:

  • Debian-like systems:
apt-get install krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind sudo ntp ntpdate
  • RedHat-like systems:
yum install krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir sudo net-tools ntp ntpdate

2. Set hostname:

hostname <name_of_localhost>echo <name_of_localhost> > /etc/hostname

3. Set time sync:

vi /etc/ntp.conf   server <IP-address_of_NTP_server>ntpdate –d <IP-address_of_NTP_server>

4. Set domainname and DC server in KRB5:

  • Debian-like systems:
dpkg-reconfigure krb5-config
Default Kerberos version 5 realm: <Domainname>Add locations of default Kerberos servers to /etc/krb5.conf: YesKerberos servers for your realm: <IP-address_of_DC_sserveres>Administrative server for your Kerberos realm: <IP-address_of_admin_server>

  • Debian vagy RedHat-like systems:

vi /etc/krb5.conf   [libdefaults]   default_realm = <domainname>   ...   [realms]   <domainname> = {   kdc = <IP-address_of_DC_server>   admin_server = <IP-address_of_admin_server>   }   ...   [domain_realm]   <.domainname> = <DOMAINNAME>   <domainname> = <DOMAINNAME>...

5. Configure workgroup, domainname and Winbind, and share of home directories in SAMBA:

vi /etc/samba/smb.conf   [global]   workgroup = <name_of_workgroup_or_organization>   security = ads   realm = domainname   netbios name = <name_of_localhost>   idmap config * : backend = rid   idmap config * : range = 5000-100000000   idmap config * : base_rid = 0   template shell = /bin/bash   template homedir = /home/%D/%U   winbind use default domain = yes   winbind enum users = yes   winbind enum groups = yes   winbind nested groups = yes   winbind refresh tickets = yes   allow trusted domains = no   client use spnego = yes   auth methods = winbind   ...   [homes]   comment = Home Directories   read only = no   browseable = no   valid users = %S   create mask = 0700   directory mask = 0700   ...

6. Test Samba file:

testparm

7. Add Winbind name search:

  • Debian-like systems:
vi /etc/nsswitch.conf   ...   passwd:          compat winbind   group:           compat winbind   shadow:          compat winbind    ...
  • RedHat-like systems:
vi /etc/nsswitch.conf   ...   passwd:          files sss winbind   group:           files sss winbind   shadow:          files sss winbind   ...

8. Enable sudo command to AD groups or users:

vi /etc/sudoers   ...   %<Name_of_AD_group_or_user_1> ALL=(ALL:ALL) ALL   %<Name_of_AD_group_or_user_2> ALL=(ALL:ALL) ALL   ...

9. Configure atomatic create of AD users home directories in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-session   ...   session required pam_mkhomedir.so umask=0077 skel=/etc/skel

  • RedHat-like systems:

authconfig --update --enablemkhomedir

10. Configure local and AD autentication in PAM:

  • Debian-like systems:
vi /etc/pam.d/common-auth   ...  #auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000   auth [success=3 default=ignore] pam_localuser.so try_first_pass  #auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass   auth [success=1 default=ignore] pam_winbind.so require_membership_of=„%<Name_of_AD_group_or_user_1>,„%<Name_of_AD_group_or_user_2> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass debug   ...

  • RedHat-like systems:

vi /etc/pam.d/system-auth   ...   auth sufficient pam_localuser.so try_first_pass   auth sufficient pam_winbind.so use_first_pass   auth required pam_deny.so   ...vi /etc/pam.d/sshd   auth include system-auth   ...vi /etc/security/pam_winbind.conf   [global]   debug = yes   debug_state = yes   cached_login = yes   krb5_auth = yes   require_membership_of = „Name_of_AD_group_or_user_1”,”Name_of_AD_group_or_user_2”

11. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start

  • RedHat-like systems:

systemctl restart winbindsystemctl restart smbsystemctl enable winbind

12. Testing of Kerberos ticket create:

kinit -p <AD_user>klistkdestroy

13. Add Linux host to AD with AD admin user:

net ads join -U <AD_admin_user>

14. Restart Winbind and Samba:

  • Debian-like systems:
/etc/init.d/winbind stop/etc/init.d/samba restart/etc/init.d/winbind start

  • RedHat-like systems:

systemctl restart winbindsystemctl restart smbsystemctl enable winbind

15. Login test of local and AD authentication, and authentication log check:

tail -f /var/log/auth.log

16. If error, then test of Kerberos, Winbind and nsswitch:

  • Test AD users and groups viewing with Winbind:

wbinfo -uwbinfo -g

  • Test AD users and groups viewing with nsswitch:

getent passwdgetent group

Restore Kerberos authentication to default authentication

1. Remove Kerberos client, Winbind and Samba packages:

  • Debian-like systems:
apt-get purge krb5-user krb5-config libpam-krb5 winbind samba samba-common-bin libnss-winbind libpam-winbind
  • RedHat-like systems:
yum remove krb5-workstation samba samba-common samba-winbind samba-winbind-clients pam_krb5 oddjob-mkhomedir

2. Restore PAM:

  • Debian-like systems:
pam-auth-update --force
  • RedHat-like systems:
Restore files in /etc/pam.d/. 
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry