[Network Administration]: Linux Kerberos Authentication and LDAP Authorization

Once principals are added to the Keberos Database, and the account information is added to the LDAP directory, then the client Linux machines can be configured to access the information and allow for network accounts to be used.

Enabling Kerberos authentication for Linux machines consists of configuring the proper PAM module. The module is in the package libpam_krb5 for Ubuntu.

sudo apt-get install libpam-krb5

A proper kerberos configuration file also needs to be created in /etc/krb5.conf. This is the same file that we used to setup the KDC and admin server, but without the logging information. It looks like this:

[libdefaults]
	default_realm = EXAMPLE.COM

[realms]
	EXAMPLE.COM = {
		kdc = kdc1.internal.example.com:88
		admin_server = kdc1.internal.example.com:749
		default_domain = example.com
	}

[domain_realm]
	example.com = EXAMPLE.COM
	.example.com = EXAMPLE.COM

Once the module and the configuration file are installed, the pam_krb5 module needs to be added to the PAM profile. I’ve assigned all kerberos network accounts with a user ID of 10000 or higher. Local accounts on machines are below 10000. I’ve updated these PAM files:

  • /etc/pam.d/common-account
    # Ensure that kerberos account exists
    account      required                                           pam_krb5.so minimum_uid=10000
    account      [success=1 new_authtok_reqd=done default=ignore]   pam_unix.so
    # here's the fallback if no module succeeds
    account      requisite                                          pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    account      required                                           pam_permit.so
    

    We ensure that the kerberos account is valid if the user account is at least the minimum user ID. If not, then it will fail.

  • /etc/pam.d/common-auth
    # Attempt to auth using kerberos if uid above 10000
    auth          [authinfo_unavail=ignore success=2 default=ignore]        pam_krb5.so minimum_uid=10000 ignore_root
    auth          [success=1 default=ignore]                        pam_unix.so try_first_pass nullok_secure
    # Here is the fall back if nothing succeeds
    auth          requisite                                         pam_deny.so
    # Prime the stack with a positive return value if there isn't ine already;
    # This avoids us returning an error just because nothing sets a sucess code
    # since the modules above will each just jump around
    auth          required                                          pam_permit.so
    auth          optional                                          pam_encryptfs.so unwrap
    auth          optional                                          pam_cap.so
    

    We first attempt to authenticate using kerberos for accounts with a user ID of at least 10000. If it succeeds, then we jump to pam_permit.so. If it fails (which will happen for user ID numbers less than 10000), we attempt to authenticate using the local unix method. If that succeeds, then we jump to pam_permit. Otherwise, fail.

  • /etc/pam.d/common-passwd
    # Attempt first with kerberos
    password     [success=2 default=ignore]                         pam_krb5.so minimum_uid=10000
    password     [success=1 default=ignore]                         pam_unix.so obscure use_authtok try_first_pass sha512
    # here's the fallback if no module succeeds
    password     requisite                                          pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    password     required                                           pam_permit.so
    password     optional                                           pam_ecryptfs.so 
    

    We first attempt to update the password through kerberos if the user ID number is at least 10000. Otherwise, we try with the local unix method. If both fail, then we fail.

  • /etc/pam.d/common-session
    # Session stack
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    session      required                                           pam_permit.so
    # The pam_umask module will set the umask according to the system default in
    # /etc/login.defs and user settings, solving the problem of different
    # umask settings with different shells, display managers, remote sessions etc.
    # See "man pam_umask".
    session      optional                                           pam_umask.so umask=0027
    session      optional                                           pam_krb5.so minimum_uid=10000
    session      required                                           pam_unix.so
    session      optional                                           pam_ecryptfs.so unwrap
    

    For the session and the next one (session-noninteractive), it will attempt to open a kerberos session.

  • /etc/pam.d/common-session-noninteractive
    # Session stack
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    session      required                                           pam_permit.so
    # The pam_umask module will set the umask according to the system default in
    # /etc/login.defs and user settings, solving the problem of different
    # umask settings with different shells, display managers, remote sessions etc.
    # See "man pam_umask".
    session      optional                                           pam_umask.so umask=0027
    session      optional                                           pam_krb5.so minimum_uid=10000
    session      required                                           pam_unix.so
    session      optional                                           pam_systemd.so 
    session      optional                                           pam_ecryptfs.so unwrap
    

The configuration for PAM doesn’t follow the official Ubuntu LTS configuration. The pam update as described in the documentation from the server guide will overwrite the original PAM modules, in which case I lose the changes that I’ve already made to the PAM configurations. Also, I’m not using the credential cache which the update added (and thus locks out accounts if it’s not installed beforehand).

Once the kerberos client has been configured, you should be able to get a ticket from the KDC:

$ kinit user1
Password for user1@EXAMPLE.COM: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_20000
Default principal: user1@EXAMPLE.COM

Valid starting     Expires            Service principal
09/12/15 23:33:57  09/13/15 09:33:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 09/13/15 23:33:51

Connecting to the LDAP server is also easy. The package libnss-ldapd needs to be installed.

sudo apt-get install libnss-ldapd

The Name Service Switch module needs to have it’s configuration file, /etc/nsswitch.conf, updated. The values for passed,shadow, and group are updated to query the LDAP server in addition to the local flat files.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

These were the same 3 files that we can map our LDAP attributes onto previously when we created out network accounts. Additionally, we need to setup nslcd which will perform LDAP lookups for us. We configure the service to connect to our ldap server with the proper base. Our server is configured to support anonymous binds, so we don’t need to set a bind DN and bind password. Also, we’re not going to support password modifications by root since our passwords are in the Kerberos Database. However, we have enforced that connections need to connect either through TLS or the SSL port. We set this at the end and tell the service where it can find the CA certificate to verify the SSL certificate that the LDAP server provides to us. We demand that the server provide a valid certificate by setting “tls_reqcert hard“.

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.internal.example.com

# The search base that will be used for all queries.
base dc=example,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never

# Adding TLS configuration
ssl start_tls
tls_reqcert hard
# point this at the standard CA1 certificate chain location
tls_cacertfile <CA certificate chain>

# The search scope.
#scope sub

After updating the nslcd configuration file, it will need to be restarted.

service nslcd restart

Once the LDAP lookups are configured, we should be able to get the proper information from it. We’ll look up the information for passwd,shadow, and group – these are the three local directories that we set to support lookups in the nsswitch.conf file and which contain the account information that our LDAP entries map onto.

$ getent passwd
<local accounts>
user1:x:20000:20000:First User:/home/user1:/bin/tcsh
$ getent shadow
user1:*:15732::::::
$ getent group
<local groups>
group1:*:20000:user1
Advertisements

2 thoughts on “[Network Administration]: Linux Kerberos Authentication and LDAP Authorization

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s