Linux Kerberos Auhtentication

Linux Kerberos Auhtentication

I am jotting down my recipe for RedHat 7.3 Linux and providing user logins from Microsoft’s Active Directory. This was tested with two AWS instances and Microsoft AD 2016. There are many articles around the Interwebs but in short things became a lot easier with SSSD in most major distributions.

Out of scope:
– Add AD role to Windows 2016 server
– Add DNS entry and reverse entry for client
– Make sure DNS and reverse DNS works!

# more /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

# domainname
(none)

# hostname
ip-172-31-22-140.ec2.internal

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.22.140 ip-172-31-22-140.ec2.internal 
172.31.16.163 ec2amaz-82floju.iqonda.com ec2amaz-82floju

Install packages.

# yum install realmd sssd adcli

Ensure you are pointing to the AD/DNS server for name resolution. I made sure resolv.conf can’t be updated on boot since this is a dynamic EC2 instance.

 
# cat /etc/resolv.conf 
search iqonda.com
nameserver 172.31.16.163

# chattr +i /etc/resolv.conf

# ping 172.31.16.163
PING 172.31.16.163 (172.31.16.163) 56(84) bytes of data.
64 bytes from 172.31.16.163: icmp_seq=37 ttl=128 time=0.653 ms
64 bytes from 172.31.16.163: icmp_seq=38 ttl=128 time=0.522 ms
^C
--- 172.31.16.163 ping statistics ---
38 packets transmitted, 2 received, 94% packet loss, time 36999ms
rtt min/avg/max/mdev = 0.522/0.587/0.653/0.069 ms

# nslookup 172.31.16.163
Server:		172.31.16.163
Address:	172.31.16.163#53

Non-authoritative answer:
163.16.31.172.in-addr.arpa	name = ip-172-31-16-163.ec2.internal.

Authoritative answers can be found from:

# hostname
ip-172-31-22-140.ec2.internal

# nslookup ip-172-31-22-140.ec2.internal
Server:		172.31.16.163
Address:	172.31.16.163#53

Non-authoritative answer:
Name:	ip-172-31-22-140.ec2.internal
Address: 172.31.22.140

# nslookup 172.31.22.140
Server:		172.31.16.163
Address:	172.31.16.163#53

140.22.31.172.in-addr.arpa	name = ip-172-31-22-140.ec2.internal.iqonda.com.

# nslookup iqonda.com
Server:		172.31.16.163
Address:	172.31.16.163#53

Name:	iqonda.com
Address: 172.31.16.163

# dig -t SRV _ldap._tcp.ad.iqonda.com @172.31.16.163

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t SRV _ldap._tcp.ad.iqonda.com @172.31.16.163
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51524
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.ad.iqonda.com.	IN	SRV

;; AUTHORITY SECTION:
iqonda.com.		3600	IN	SOA	ec2amaz-82floju.iqonda.com. hostmaster.iqonda.com. 95 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 172.31.16.163#53(172.31.16.163)
;; WHEN: Tue Feb 21 13:02:58 EST 2017
;; MSG SIZE  rcvd: 126

Now lets check if we can join the AD domain.

# realm discover
realm: No default realm discovered

# realm discover ec2amaz-82floju
iqonda.com
  type: kerberos
  realm-name: IQONDA.COM
  domain-name: iqonda.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

# realm join ec2amaz-82floju
Password for Administrator: 

# realm list
iqonda.com
  type: kerberos
  realm-name: IQONDA.COM
  domain-name: iqonda.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@iqonda.com
  login-policy: allow-realm-logins

Add login permission to a specific AD group.

# realm permit -g webadmins@iqonda.com

Test a client login.

$ ssh -l user1@iqonda.com ec2-107-21-198-224.compute-1.amazonaws.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Allow SSHD passwords.

# grep PasswordA /etc/ssh/sshd_config 
PasswordAuthentication yes
# systemctl restart sshd

Try client login again. And test sudo as well.

$ ssh -l user1@iqonda.com ec2-107-21-198-224.compute-1.amazonaws.com
user1@iqonda.com@ec2-107-21-198-224.compute-1.amazonaws.com's password: 
Creating home directory for user1@iqonda.com.

$ id
uid=234601107(user1@iqonda.com) gid=234600513(domain users@iqonda.com) groups=234600513(domain users@iqonda.com),234601104(webadmins@iqonda.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ pwd
/home/user1@iqonda.com

$ sudo systemctl status sshd

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user1@iqonda.com: 
user1@iqonda.com is not in the sudoers file.  This incident will be reported.

Allow AD group sudo perms.

# tail -2 //etc/sudoers
%webadmins@iqonda.com ALL=(ALL) ALL
#%Domain\ Admins@example.com ALL=(ALL:ALL) ALL  

$ sudo systemctl status sshd
[sudo] password for user1@iqonda.com: 
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
[..]
# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Tue 2017-02-21 13:05:42 EST; 3min 46s ago
  Process: 2276 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
 Main PID: 2277 (sssd)
   CGroup: /system.slice/sssd.service
           ├─2277 /usr/sbin/sssd -D -f
           ├─2278 /usr/libexec/sssd/sssd_be --domain iqonda.com --uid 0 --gid 0 --debug-to-files
           ├─2279 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─2280 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Feb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd[nss][2279]: Starting up
Feb 21 13:05:42 ip-172-31-22-140.ec2.internal systemd[1]: Started System Security Services Daemon.
Feb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 2
Feb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1
Feb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 2
[/bash


For reference sssd config created automatically by realm join.


# cat /etc/sssd/sssd.conf 

[sssd]
domains = iqonda.com
config_file_version = 2
services = nss, pam

[domain/iqonda.com]
ad_server = ec2amaz-82floju
ad_domain = iqonda.com
krb5_realm = IQONDA.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IP-172-31-22-14$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = webadmins@iqonda.com

Leave a Reply

Your email address will not be published. Required fields are marked *