1 / 18

Authenticate local Linux accounts against Windows Active Directory

Matt Hargrave robert.hargrave@gmfinancial.com GM Financial. Authenticate local Linux accounts against Windows Active Directory. Overview. What is Kerberos Kerberos vs LDAP PAM p am_krb5 Setup k rb5.conf s shd s udo h ttpd Samba Moving Foward. What we needed.

ralphcraven
Download Presentation

Authenticate local Linux accounts against Windows Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Matt Hargrave robert.hargrave@gmfinancial.com GM Financial Authenticate local Linux accounts against Windows Active Directory

  2. Overview • What is Kerberos • Kerberos vs LDAP • PAM • pam_krb5 • Setup • krb5.conf • sshd • sudo • httpd • Samba • Moving Foward

  3. What we needed • Have a single password for every user for every service • Maintain control of users on a server level • Use an universal (secure) authentication mechanism

  4. Kerberos • Developed at MIT and released as open source in 1987 • Named after three headed dog that guarded the gates of hades • Version 5 • Uses tickets to authenticate • Everyone uses it

  5. Why Kerberos and not LDAP? • Pros • Quick and Simple • Control over users • Three headed dog (Cerberus) • Cons • User Management • Dependent on Windows Server

  6. Pluggable Authentication Module • High level interface to low level schemes • Supported on plethora of Unix and Unix like systems

  7. The magic is in pam_krb5 • Developed by Red Hat (Nalin Dahyabhai) • Aims to work with minimal configuration

  8. Setup... yum install pam_krb5 krb5_workstation

  9. /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = SERVER1.EXAMPLE.COM:88 admin_server = SERVER1.EXAMPLE.COM:749 kdc = SERVER2.EXAMPLE.COM:88 admin_server = SERVER2.EXAMPLE.COM:749 default_domain = EXAMPLE.COM } [domain_realm] .EXAMPLE.COM = EXAMPLE.COM .TEST.EXAMPLE.COM = EXAMPLE.COM [logging] kdc = SYSLOG:INFO admin_server = FILE=/var/krb5/log/kadmin.log

  10. SSHD • /etc/sshd_config • UsePAM yes • KerberosAuthentication no • Using this option works perfectly fine. However, it will bypass the PAM options. • /etc/pam.d/sshd

  11. SSHD Cont… #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_unix.so shadow md5 likeauthnullok auth requisite pam_succeed_if.so uid >= 200 quiet auth sufficient pam_krb5.so auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 nullokuse_authtok session required pam_unix.so session required pam_limits.so session optional pam_krb5.so session required pam_selinux.so close session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke

  12. SUDO /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_unix.so auth sufficient pam_krb5.so account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so

  13. Non-PAM configurations...

  14. HTTPD • auth_kerb_module • .htaccess AuthType Kerberos KrbAuthRealm EXAMPLE.COM KrbMethodNegotiate off KrbVerifyKDC off Require valid-user AuthGroupFile /path/to/file

  15. Samba • /etc/samba/smb.conf workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS client NTLMv2 auth = YES • net ads join -Uadministrator

  16. Things to consider... • root (or account with sudo access) to have local password for backdoor • DNS bug?

  17. Moving Foward • SSSD (System Security Services Daemon) • Identify Management (FreeIPA)

  18. Questions?

More Related