The intent of this document to is record one method of enabling Kerberos logins on a CentOS 7 system using Windows Active Directory. There are many way to do this. For a very detailed document on all of these options, check out the Red Hat Enterprise Linux 7 Windows Integration Guide.
Note: At the time of this writing, a kickstart installation does not work correctly, possibly due to using an older version of adcli. The
/etc/krb5.keytab
file ends up containing entries that look likeHOST/hostname.domain.com@DOMAIN.COM
which is not what sshd is expecting. The sshd service is expecting entrieds that look likehost/hostname.domain.com@DOMAIN.COM
. This causes ssh Kerberos logins to fail, printingNo key table entry found matching host/hostname.domain.com@
in the error log.
Enter the following command to join the DOMAIN.COM
. The user given as username must have permissions to add the computer to the DOMAIN.COM
.
realm join -u username DOMAIN.COM
At this point, it is possible to login to the server as long as your login name matches username@domain.com
. This is not very nice though and only useful if you have multiple domains.
Fix this by editing /etc/sssd/sssd.conf
. Add the following to the sssd
section to automatically choose the primary domain.
[sssd]
default_domain_suffix = domain.com
Restart System Security Services Daemon (SSSD).
systemctl restart sssd
Usernames will still use a fully-qualified version to avoid conflicts other usernames from other domains. If you only have domain, you can change this so that the short username is used instead.
To do this, edit /etc/sssd/sssd.conf
. Change the use_fully_qualified_names
propety to False
under the section specific to your domain.
[domain/domain.com]
use_fully_qualified_names = False
Restart System Security Services Daemon (SSSD).
systemctl restart sssd
Some servers shouldn't let all users in the Realm login. To limit to a specific group, in this example Domain Admins
, execute a command similar to the following. For more details, see the permit section of the realm man page.
realm permit --groups domain\ admins
Note: This configuration is done entirely on the client, not the server.
Configure ~/.ssh/config
to include following lines:
Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Execute the following commands to connect to the server using a Kerberos ticket.
kinit username
ssh username@host.domain.com
Note: Be sure to specify the domain. SSH will only submit the Kerberos ticket if the options are enabled and the hostname specified has to match the matcher in your local config file.
Thank you , it helped me alot.