As an update to my previous post “Linux SSH + PAM + LDAP + 2003 R2 AD Deployment“, SSSD is now part of the base RHEL6 repository (soon CentOS6 as well) which makes it much faster and easier to implement LDAP/AD authentication. In regards to configuring Active Directory, not too much has changed since my previous post so you’ll need to hit up the previous guide for a complete guide. So lets get to it..
Installing and Configuring PAM/LDAP/SSSD (tested on RHEL6):
Get some base packages:
# yum install openldap pam pam_ldap pam_krb5 ntp sssd |
Configure /etc/sssd/sssd.conf (make sure you update ldap_default_authtok to your LDAP/AD user password). If you recreate sssd.conf be sure to chmod 600 or the service will fail to start:
# vi /etc/sssd/sssd.conf [sssd] domains = LDAP services = nss, pam config_file_version = 2 sbus_timeout = 30 [nss] filter_groups = root filter_users = root [pam] offline_credentials_expiration = 0 [domain/LDAP] description = LDAP domain with AD server debug_level = 9 enumerate = false min_id = 1000 access_provider = ldap # Restrict access to a certain group, update or comment this out ldap_access_filter = memberOf=cn=LinuxUsers,ou=Groups,dc=domain,dc=com id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://dc1.domain.com, ldap://dc2.domain.com ldap_search_base = dc=domain,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs # User that can read from AD, any normal user should work. Update as necessary ldap_default_bind_dn = cn=ldapuser,ou=Users,dc=domain,dc=com # Leave this as password ldap_default_authtok_type = password # The ldap users actual password, update as necessary ldap_default_authtok = ldapusers_password ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_force_upper_case_realm = True # kerberos config auth_provider = krb5 krb5_server = dc1.domain.com, dc2.domain.com krb5_realm = DOMAIN.COM krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 cache_credentials = True |
Configure /etc/krb5.conf:
# vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] KEMPERVALVE.COM = { kdc = dc1.domain.com kdc = dc2.domain.com } [domain_realm] .DOMAIN.COM = DOMAIN.COM DOMAIN.COM = DOMAIN.COM domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |
Update authentication methods (if authconfig is unavailable you’ll have to manual edit the order in /etc/pam.d/password-auth):
# authconfig --enablemkhomedir --enablesssdauth --updateall |
Verify nsswitch.conf was updated with sss:
# vi /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss |
Enable SSSD on boot, start if necessary (should be running already):
# chkconfig sssd on # /etc/rc.d/init.d/sssd start |
Giving SUDO permissions (Optional) Add the group you configured in AD to your sudoers file using %groupname (case sensitive). Example:
# vi /etc/sudoers # Give our Windows Group linuxusers (system admins), ALL commands. %LinuxUsers ALL=(ALL) ALL |
Test AD authentication and that the users home directory was created (/home/username). Be sure to add ntpdate to a cron job to keep the time in sync with your domain controller.
Hey, its works, but I get some erros in secure log:
Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: authentication fails for ‘my_user’ (my_user@DOMAIN.COM): Authentication failure (Cannot read password)
Feb 2 11:31:41 server01 sshd[21412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=my_user
Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: error guessing name of local host principal
Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: TGT failed verification using keytab: Hostname cannot be canonicalized
Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: authentication fails for ‘my_user’ (my_user@DOMAIN.COM): Authentication failure (Success)
Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): getting password (0x00000010)
Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): user ‘my_user’ granted access
Feb 2 11:31:42 server01 sshd[21412]: pam_winbind(sshd:account): user ‘my_user’ granted access
Feb 2 11:31:42 server01 sshd[21412]: Accepted password for my_user from 192.168.1.1 port 58368 ssh2
Feb 2 11:31:42 server01 sshd[21412]: pam_unix(sshd:session): session opened for user my_user by (uid=0)
Can you help me with this messages?
Why use krb over native ldap?
I do it as you write,but sssd failed to start.why?
Hi,
Found this very helpful! I got AD auth to work with RHEL 5 without issue, but RHEL 6 is killing me!
When I attempt SSH I got the following error:
pam_sss (sshd:auth): received for user mark: 10 (User not known to the underlying authentication module)
pam_krb5: error resolving user name ‘mark’ to uid/gid
pam_krb5: error getting information about ‘mark’
All my conf files look right, but I’m not sure about /etc/pam.d/password-auth. Any tips for this file would be greatly appreciated!
-Mark
Pingback: RHEL 6 and 7 Active Directory Integration | Richard's Thoughts
I broke my backup server following procedures/configurations in other blogs, this blog fixed it. lessons learned along the way . . ..
If you put ntpdate into a cron, you need to stop ntpd before and start again after. If it isn’t obvious, in an AD environment use the DC’s as time servers. If you are using vm’s on vmware see their info about time keeping for Linux guests. google distribution specific vmtools. Before attempting this keep a copy of /etc/pam.d/system-auth and /etc/nsswitch.conf. if you can’t login, restart in single mode and restore those 2 to get back in.
We are thinking of using LDAP based IAM setup with VMware vCloud and OpenStack Nova Compute VMs.
VMware vCloud and OpenStack Nova Compute VMs are self-serve in that the end-users (non Admins) can create the VMs as needed.
Currently we have ldap_access_filter as ((memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)) that will allow access to a LINUX / UNIX machine to whoever is in that group.
Since the end-user is not part of this group, he/she is not able to login. We would like to automatically add the end-user who created the VM to the ldap_access_filter.
Also since we manage the Sudo Rules in LDAP, we would like the automatically create a Sudo Rule for that VM and the user to the Rule.
Any thoughts on how to best design this? Maybe we are over-thinking this, and there is a simpler solution.
The end-goal is that the end-user who creates the VM should have full access to that VM in addition to System Adminstrators LDAP Group.
Pingback: » Authenticate RHEL 5 and 6 SSSD Using Kerberos and LDAP Against Active Directory on Windows Server 2008 R2