Ubuntu/Linux Active Directory Kerberos Authentication

example-nslcd.conf

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ad2.lcc-sa.sa.lcc.lca.org.au ldap://adprinter.lcc-sa.sa.lcc.lca.org.au

# The search base that will be used for all queries.
base DC=lcc-sa,DC=sa,DC=lcc,DC=lca,DC=org,DC=au
scope sub

#binddn CN=ldapquery,CN=Users,DC=lcc-sa,DC=sa,DC=lcc,DC=lca,DC=org,DC=au
#bindpw zTbeUKylRhlXsvLNHXdPwHWfIsWpNiDuuAAXhdmgJRBUHIvNeULZrBLgWVey

#use_sasl on
sasl_mech GSSAPI
sasl_realm {{FULLY.QUALIFIED.DOMAIN}}
krb5_ccname FILE:/tmp/host.tkt

nss_min_uid 9999

filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd uidnumber uidNumber
map passwd homedirectory unixHomeDirectory
map passwd loginshell loginShell
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (objectClass=group)
map group member member

nslcd-kerberos.conf

# nslcd-k5start - Maintain a Kerberos ticket cache for nslcd
# Adapted from the System V nslcd init script

description     "Maintain a Kerberos ticket cache for nslcd"
author "Caleb Callaway <enlightened.despot@gmail.com>"

start on starting nslcd
stop on stopping nslcd

env PATH=/bin:/usr/bin:/sbin:/usr/sbin
env NSLCD_CFG=/etc/nslcd.conf

env K5START_BIN=/usr/bin/k5start
env K5START_DESC="Kerberos cache maintainer for nslcd"
env NSLCD_USER=nslcd
env NSLCD_GROUP=nslcd
env K5START_MODE=600
env K5START_KEYTAB=/etc/krb5.keytab
env K5START_CCREFRESH=60
env K5START_LOGFILE="/tmp/nslcd-k5start.log"

pre-start script
[ -f "$NSLCD_CFG" ] || exit 1

#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)

if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi

#make sure we have a state directory for the Kerberos cache
[ -d "$NSLCD_STATEDIR" ] || ( mkdir -m 755 "$NSLCD_STATEDIR" ; \
chown $NSLCD_USER:$NSLCD_GROUP "$NSLCD_STATEDIR" )

date >> $K5START_LOGFILE
echo "Initializing credentials cache." >> $K5START_LOGFILE
echo "Init command: \"/usr/bin/kinit -V -c $K5START_CCFILE -k -t $K5START_KEYTAB $K5START_PRINCIPAL\"" >> $K5START_LOGFILE

#make sure we have a credentials cache before nslcd starts.
/usr/bin/kinit -V -c $K5START_CCFILE -k -t $K5START_KEYTAB $K5START_PRINCIPAL 1>>$K5START_LOGFILE 2>>$K5START_LOGFILE
end script

script
#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)

if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi

echo "Starting daemon" >> $K5START_LOGFILE
echo "Command: \"$K5START_BIN -p $K5START_PIDFILE -o $NSLCD_USER -g $NSLCD_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE\"" >> $K5START_LOGFILE

# check if we should use k5start by default (sasl_mech should be GSSAPI and
# krb5_ccname should be found)
if [ -x "$K5START_BIN" ] && \
grep -q '^sasl_mech *GSSAPI$' $NSLCD_CFG && \
[ -n "$K5START_CCFILE" ]
then
$K5START_BIN -p $K5START_PIDFILE -o $NSLCD_USER -g $NSLCD_GROUP -m $K5START_MODE -f $K5START_KEYTAB -K $K5START_CCREFRESH -u $K5START_PRINCIPAL -k $K5START_CCFILE
log_end_msg $?

fi
end script

post-stop script
#upstart's env stanza seems to be a bit simplistic, so we do fancy stuff here.
NSLCD_STATEDIR=/var/run/nslcd
K5START_PIDFILE=$NSLCD_STATEDIR/k5start_nslcd.pid
NSLCD_USER=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
NSLCD_GROUP=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' $NSLCD_CFG)
K5START_PRINCIPAL="host/$(hostname -f)"
K5START_CCFILE=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' $NSLCD_CFG)

if [ -e /etc/default/nslcd ]
then
. /etc/default/nslcd
fi

[ -n "$K5START_PIDFILE" ] && rm -f $K5START_PIDFILE
[ -n "$K5START_CCFILE" ] && rm -f $K5START_CCFILE
end script

nslcd.conf

# for NSS and PAM modules.
#
# Adapted from the System V nslcd init script and http://ubuntuforums.org/showthread.php?t=1335022

description "LDAP connection daemon"
author "Caleb Callaway <enlightened.despot@gmail.com>"

start on (local-filesystems and net-device-up IFACE!=lo)
stop on runlevel [!2345]

expect fork
respawn

env PATH=/bin:/usr/bin:/sbin:/usr/sbin
env NSLCD_BIN=/usr/sbin/nslcd
env NSLCD_DESC="LDAP connection daemon"
env NSLCD_CFG=/etc/nslcd.conf
env NSLCD_LOGFILE="/tmp/nslcd.log"

pre-start script
[ -x "$NSLCD_BIN" ] || exit 1
end script

script
# read defaults
[ -f /etc/default/nslcd ] && . /etc/default/nslcd

# start nslcd
echo "Starting $NSLCD_DESC nslcd" > $NSLCD_LOGFILE
end script

exec $NSLCD_BIN

Process.md

#Software#

• acl
• attr
• samba
• krb5-config
• krb5-user
• ldap-utils
• nscd
• nslcd
• ntp
• ntpdate
• sasl2-bin
• kstart
• libsasl2-modules-gssapi-mit
• libpam-krb5

#Steps#

1. Install Pre-requeset software.
2. Configure NTPd to sync with AD Server
3. edit /etc/ntp.conf
4. stop ntpd ( service ntp stop )
5. ntpdate {adserver}
6. start ntpd ( service ntp start )
7. Create DNS Entry Host with AD suffex.
8. Configure Kerberos
9. edit /etc/krb5.conf to match your environment. I find it useful to clean out all of the realms that come preconfigured. You should not need to do this, but there is no point in keeping them, unless you intend to offer them as authentication endpoints.
10. Test it works by with kinit and a known account
11. Create an account for the Host in AD
12. In AD Users and Computers, create an account for the host using the hostname
13. Create a very secure password and have it non-expiring
14. Set the map the host/ services Principle to the User Account
15. Create a keytab 1. On an Windows AD Server, create the keytab and map the user to a principle > ktpass -princ host/{hostname}.{ad_fqdn}@{ad_fqdn} -mapuser {ad_domain}\{username} -pass "{password}" -ptype KRB5_NT_PRINCIPAL -crypto ALL -out {filename} 2. Copy the keypass to the host 3. Test the keytab kinit -k -t /path/to/keytab klist
16. Setup nslcd and k5start
17. Copy nslcd-kerberos.conf and nslcd.conf to /etc/init/.
18. Configure nslcd, see example-nslcd.conf
19. Start nslcd service nslcd start.
20. Check that /tmp/host.tkt exists.
21. Configure nsswitch
22. Edit /etc/nsswitch.conf and add ldap to the end of the passwd and group lines.
23. Test with getent passwd and you should see at the bottom of the list the users in Active Directory with a unix uid.
24. Run pam-auth-update and disable LDAP Authentication
25. Create Home directories for the AD users. cp -r /etc/skel/ /home/$USERNAME chown $USERNAME:$GROUP -R /home/$USERNAME
26. Update sshd to accept kerberos tokens for single-signon authentication
27. Edit /etc/ssh/sshd_config
28. Uncomment, Add and Set GSSAPIAuthentication and GSSAPICleanupCredentials to yes