Skip to content

Instantly share code, notes, and snippets.

@narthollis

narthollis/Process.md

Last active May 3, 2024 16:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save narthollis/5342380 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save narthollis/5342380 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu/Linux Active Directory Kerberos Authentication
Raw
example-nslcd.conf
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://ad2.lcc-sa.sa.lcc.lca.org.au ldap://adprinter.lcc-sa.sa.lcc.lca.org.au
# The search base that will be used for all queries.
base DC=lcc-sa,DC=sa,DC=lcc,DC=lca,DC=org,DC=au
scope sub
#binddn CN=ldapquery,CN=Users,DC=lcc-sa,DC=sa,DC=lcc,DC=lca,DC=org,DC=au
#bindpw zTbeUKylRhlXsvLNHXdPwHWfIsWpNiDuuAAXhdmgJRBUHIvNeULZrBLgWVey
#use_sasl on
sasl_mech GSSAPI
sasl_realm {{FULLY.QUALIFIED.DOMAIN}}
krb5_ccname FILE:/tmp/host.tkt
nss_min_uid 9999
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd uidnumber uidNumber
map passwd homedirectory unixHomeDirectory
map passwd loginshell loginShell
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (objectClass=group)
map group member member
Raw
nslcd-kerberos.conf
# nslcd-k5start - Maintain a Kerberos ticket cache for nslcd
# Adapted from the System V nslcd init script
description "Maintain a Kerberos ticket cache for nslcd"
author "Caleb Callaway <[email protected]>"
start on starting nslcd
stop on stopping nslcd
env PATH=/bin:/usr/bin:/sbin:/usr/sbin
env NSLCD_CFG=/etc/nslcd.conf
env K5START_BIN=/usr/bin/k5start
env K5START_DESC="Kerberos cache maintainer for nslcd"
env NSLCD_USER=nslcd
env NSLCD_GROUP=nslcd
env K5START_MODE=600
env K5START_KEYTAB=/etc/krb5.keytab
env K5START_CCREFRESH=60
env K5START_LOGFILE="/tmp/nslcd-k5start.log"
pre-start script
[ -f "$NSLCD_CFG" ] || exit 1
#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)
if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi
#make sure we have a state directory for the Kerberos cache
[ -d "$NSLCD_STATEDIR" ] || ( mkdir -m 755 "$NSLCD_STATEDIR" ; \
chown $NSLCD_USER:$NSLCD_GROUP "$NSLCD_STATEDIR" )
date >> $K5START_LOGFILE
echo "Initializing credentials cache." >> $K5START_LOGFILE
echo "Init command: \"/usr/bin/kinit -V -c $K5START_CCFILE -k -t $K5START_KEYTAB $K5START_PRINCIPAL\"" >> $K5START_LOGFILE
#make sure we have a credentials cache before nslcd starts.
/usr/bin/kinit -V -c $K5START_CCFILE -k -t $K5START_KEYTAB $K5START_PRINCIPAL 1>>$K5START_LOGFILE 2>>$K5START_LOGFILE
end script
script
#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)
if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi
echo "Starting daemon" >> $K5START_LOGFILE
echo "Command: \"$K5START_BIN -p $K5START_PIDFILE -o $NSLCD_USER -g $NSLCD_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE\"" >> $K5START_LOGFILE
# check if we should use k5start by default (sasl_mech should be GSSAPI and
# krb5_ccname should be found)
if [ -x "$K5START_BIN" ] && \
grep -q '^sasl_mech *GSSAPI$' $NSLCD_CFG && \
[ -n "$K5START_CCFILE" ]
then
$K5START_BIN -p $K5START_PIDFILE -o $NSLCD_USER -g $NSLCD_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE
log_end_msg $?
fi
end script
post-stop script
#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)
if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi
[ -n "$K5START_PIDFILE" ] && rm -f $K5START_PIDFILE
[ -n "$K5START_CCFILE" ] && rm -f $K5START_CCFILE
end script
Raw
nslcd.conf
# for NSS and PAM modules.
#
# Adapted from the System V nslcd init script and http://ubuntuforums.org/showthread.php?t=1335022
description "LDAP connection daemon"
author "Caleb Callaway <[email protected]>"
start on (local-filesystems and net-device-up IFACE!=lo)
stop on runlevel [!2345]
expect fork
respawn
env PATH=/bin:/usr/bin:/sbin:/usr/sbin
env NSLCD_BIN=/usr/sbin/nslcd
env NSLCD_DESC="LDAP connection daemon"
env NSLCD_CFG=/etc/nslcd.conf
env NSLCD_LOGFILE="/tmp/nslcd.log"
pre-start script
[ -x "$NSLCD_BIN" ] || exit 1
end script
script
# read defaults
[ -f /etc/default/nslcd ] && . /etc/default/nslcd
# start nslcd
echo "Starting $NSLCD_DESC nslcd" > $NSLCD_LOGFILE
end script
exec $NSLCD_BIN
Raw
Process.md

#Software#

  • acl
  • attr
  • samba
  • krb5-config
  • krb5-user
  • ldap-utils
  • nscd
  • nslcd
  • ntp
  • ntpdate
  • sasl2-bin
  • kstart
  • libsasl2-modules-gssapi-mit
  • libpam-krb5

#Steps#

  1. Install Pre-requeset software.
  2. Configure NTPd to sync with AD Server
  3. edit /etc/ntp.conf
  4. stop ntpd ( service ntp stop )
  5. ntpdate {adserver}
  6. start ntpd ( service ntp start )
  7. Create DNS Entry Host with AD suffex.
  8. Configure Kerberos
  9. edit /etc/krb5.conf to match your environment. I find it useful to clean out all of the realms that come preconfigured. You should not need to do this, but there is no point in keeping them, unless you intend to offer them as authentication endpoints.
  10. Test it works by with kinit and a known account
  11. Create an account for the Host in AD
  12. In AD Users and Computers, create an account for the host using the hostname
  13. Create a very secure password and have it non-expiring
  14. Set the map the host/ services Principle to the User Account
  15. Create a keytab 1. On an Windows AD Server, create the keytab and map the user to a principle > ktpass -princ host/{hostname}.{ad_fqdn}@{ad_fqdn} -mapuser {ad_domain}\{username} -pass "{password}" -ptype KRB5_NT_PRINCIPAL -crypto ALL -out {filename} 2. Copy the keypass to the host 3. Test the keytab kinit -k -t /path/to/keytab klist
  16. Setup nslcd and k5start
  17. Copy nslcd-kerberos.conf and nslcd.conf to /etc/init/.
  18. Configure nslcd, see example-nslcd.conf
  19. Start nslcd service nslcd start.
  20. Check that /tmp/host.tkt exists.
  21. Configure nsswitch
  22. Edit /etc/nsswitch.conf and add ldap to the end of the passwd and group lines.
  23. Test with getent passwd and you should see at the bottom of the list the users in Active Directory with a unix uid.
  24. Run pam-auth-update and disable LDAP Authentication
  25. Create Home directories for the AD users. cp -r /etc/skel/ /home/$USERNAME chown $USERNAME:$GROUP -R /home/$USERNAME
  26. Update sshd to accept kerberos tokens for single-signon authentication
  27. Edit /etc/ssh/sshd_config
  28. Uncomment, Add and Set GSSAPIAuthentication and GSSAPICleanupCredentials to yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment