Skip to content

Instantly share code, notes, and snippets.

@saurabh500

saurabh500/gist:a0f980334cb62d79a5dbd0a1cbdd8065

Last active August 23, 2017 07:47
Show Gist options
  • Save saurabh500/a0f980334cb62d79a5dbd0a1cbdd8065 to your computer and use it in GitHub Desktop.
Save saurabh500/a0f980334cb62d79a5dbd0a1cbdd8065 to your computer and use it in GitHub Desktop.
Download ZIP
Integrated Auth Setup for Linux
Raw
gistfile1.md

I am outlining the steps for setting up Kerberos on Ubuntu for Integrated Authentication. The Kerberos packages are installed by default on macOS, and the configuration on macOS is the same as Ubuntu. I have tested these steps with Integrated Auth of our development version of SqlClient on Ubuntu1404, 1604 and macOS.

Joining the domain on linux doesn’t guarantee a Kerberos ticket will be generated for use by GSSAPI. The following are the minimum steps necessary to test Integrated Auth on Linux. For further automation where the tickets may need to be renewed on a regular basis or without human intervention, the users can use the KeyTab file.

For Integrated Authentication setup on Linux

  1. Install krb5-user package using apt-get. This would provide the kinit command the configurations needed to interact with Active Directory.

  2. Configure the KDC in krb5.conf file. You could also get the KDC details from the domain controller admin of the organization.

    a. Getting your KDC (You may work with your domain admin to get the details as well): KDC is the key distribution center which plays an important role in Kerberos authentication. To find out the KDC of your domain on Windows, use the command

nltest /dsgetdc:REDMOND.CORP.MICROSOFT.COM

The output will look something like the following. The details here are specific to the domain that I am part of.

		                           DC: \\xxxx.abcd.efgh.microsoft.com
		                  Address: \\2001:4898:2001:33:1e98:ecff:fe28:2958
		               Dom Guid: 111-2323-231312312-123123123-123123123
		             Dom Name: abcd.efgh.microsoft.com
		           Forest Name: corp.microsoft.com
		          Dc Site Name: NA-WA-TUKDC
		         Our Site Name: NA-WA-RED

The command completed successfully

The KDC is the value indicated by DC. In the above example it is DC: \xxxx.abcd.efgh.microsoft.com

b. Configuring KDC in krb5.conf Edit the /etc/krb5.conf in an editor of your choice Configure the following keys

		            [libdefaults]
		                default_realm = abcd.efgh.MICROSOFT.COM
		 
		            [realms]
		                REDMOND.CORP.MICROSOFT.COM = {
		                        kdc = xxxx.abcd.efgh.microsoft.com
		                }
		 

For the kdc value, use the value from the nltest command in step 2.a. The domain should be in all CAPS. Save the krb5.conf file and exit.

  1. Testing the Ticket Granting Ticket retrieval.

    a. Use the command kinit username@REDMOND.CORP.MICROSOFT.COM to get a TGT from KDC. You will be prompted for your domain password.

    b. Use klist to see the available tickets. If the kinit was successful, you should see a ticket from krbtgt/ABCD.EFGH.MICROSOFT.COM@REDMOND.CORP.MICROSOFT.COM.

Example:

		        sausing@sqlubuntu1604:~ /corefx/src/System.Data.SqlClient/src$ klist
		        Ticket cache: FILE:/tmp/krb5cc_10000
		        Default principal: user@ABCD.EFGH.MICROSOFT.COM
		 
		        Valid starting       Expires              Service principal
		        01/10/2017 17:56:41  01/11/2017 03:56:41  krbtgt/ABCD.EFGH.MICROSOFT.COM@ABCD.EFGH.MICROSOFT.COM
		                renew until 01/11/2017 17:56:37
		        sausing@sqlubuntu1604:~/corefx/src/System.Data.SqlClient/src$
@meet-bhagdev
Copy link

Do i also need to configure my DNS for the Domain controller? For eg. the /etc/network/interfaces file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment