Kerberos

You are currently browsing articles tagged Kerberos.

Greater AD Integration via NFS and Automounts

Tuesday, November 21, 2006 in Interoperability by slowe | 42 comments

This solution builds upon the integration of Solaris 10 and Linux (again, CentOS specifically, but I’ll use Linux here instead of mentioning the specific distribution) into Active Directory for authentication and authorization as outlined in these related articles:

Refined Solaris 10-AD Integration Instructions
Linux, Active Directory, and Windows Server 2003 R2 Revisited

In these articles, we describe a configuration whereby we can use Kerberos against Active Directory for authentication, and LDAP against Active Directory for user and group lookups.  This allows us to centralize the user account information (username, UID number, home directory, login shell, etc.) into Active Directory so that when an account is provisioned in AD it is also available to associated UNIX and Linux systems (as applicable).  Using the information in this article, we can extend that integration to auto-mounted shared home directories between Solaris and Linux.

We’ll accomplish this by using the UNIX interoperability tools included in Windows Server 2003 R2; namely, the Server for NFS, Server for NIS, and the User Name Mapping Server.  On the Solaris and Linux side, we’ll use autofs.

OK, let’s dive right in.

Configuring Solaris

Configuring Solaris is pretty straightforward; it’s pretty much designed out of the box to use auto-mounted home directories.  This is one area where Solaris shows its enterprise pedigree (that’s not a knock against Linux, just an observation about Solaris).

The only real change that needs to be made is to the /etc/auto_home file, which specifies the auto-mounted home directory mappings.  The easiest thing to do is use a wildcard mapping, like this:

*   nfssrvr.example.com:/home/&

Here, the asterisk (*) and the ampersand (&) will be replaced with the appropriate information.  So, if a user name “bjones” logs on, then the the /home/bjones NFS share on the server nfssrvr.example.com would be mounted on /home/bjones on the Solaris server.  Useful, eh?

Note that autofs may be disabled in your installation of Solaris; it wasn’t in mine, but I’ve seen references elsewhere that this is not typical.  Use these commands to check the status and enable autofs, if necessary:

svcs -a | grep autofs
svcadm -v enable svc:/system/filesystem/autofs

At this point, Solaris should be ready to go.  Let’s look at the Linux configuration.

Configuring Linux

The Linux configuration is only slightly more complicated than the Solaris configuration.  Whereas Solaris uses /etc/auto_master to define the automounted filesystems, autofs on Linux uses /etc/auto.master, and it does not (by default, as far as I can tell) define a map for automounted home directories.

So we must first edit /etc/auto.master and add the following line:

/home   /etc/auto.home

This tells autofs to look in the file /etc/auto.home to find the automounted directories under /home.  Then we create the /etc/auto.home file with the following line:

*   nfssrvr.example.com:/home/&

(Just like the Solaris box in this case.)  Finally, we can check for the autofs startup status, fix it, and start autofs with the following commands, respectively:

chkconfig --list autofs
chkconfig autofs on
service autofs start

In fact, you will need to restart the autofs daemon (with “service autofs restart”) in order for the changes to /etc/auto.master and /etc/auto.home to be recognized.  (The same goes for Solaris, too, only using the “svcadm -v restart svc:/system/filesystem/autofs” command instead.)

To further streamline any differences between Solaris and Linux, I also created a /export/home on the Linux server, in the event I wanted/needed local home directories as well.  Please note that I would need to modify the /etc/auto.home (on Linux) or /etc/auto_home (on Solaris) as well if this were the case.

Now that Linux and Solaris are both done, let’s have a look at configuring the UNIX interoperability components on Windows.

Configuring Windows (NFS, NIS, and User Name Mapping)

Surprisingly enough, this part was the hardest part for me.  I don’t know if it was the documentation (if it can be called that) or something else, but I had a hard time with this.  Hopefully the information I share here can help someone else avoid this headache.

Configuring the Domain Controllers

On the domain controllers in your Active Directory domain, install the following components:

  • Server for NIS and Administration Components (under Active Directory Services > Identity Management for UNIX)
  • Microsoft Services for NFS Administration, RPC External Data Representation, RPC Port Mapper, Server for NFS Authentication, and User Name Mapping (under Other Network File and Print Services > Microsoft Services for NFS)

It may be possible to get by with less than that installed, but I couldn’t get it working until all of those are installed.  If you’ve followed my instructions for AD integration, the Server for NIS and Administration Components are probably already installed, as those expose the “UNIX Attributes” tab in Active Directory Users & Computers.

Once these are installed, use these steps to configure them appropriately:

  1. Using the Services MMC, make sure that Server for NIS is running.
  2. In the Microsoft Services for NFS MMC, right-click on “Microsoft Services for NFS” and select Properties.  Specify the name of the DC as the “User Name Mapping Server”, check the box labeled “Active Directory Lookup”, and specify the name of the Active Directory domain.  Click OK to save those changes and close the dialog box.
  3. Still in Microsoft Services for NFS MMC console, right-click User Name Mapping and select Properties.  Go to the “Simple Mapping” tab, check the box marked “Use simple maps”, and then add one of the DCs from the domain that’s running Server for NIS at the bottom of the dialog box.
  4. Right-click on both User Maps and Group Maps and select “Show simple maps,” then click Refresh.  You should see a list of the users in Active Directory that have been UNIX-enabled, i.e., have UNIX attributes specified for their account.  At this point, you can close the Microsoft Services for NFS MMC.

The DC should now be ready to go.  It’s time to move to the file server.

Configuring the File Server

We need to install the Server for NFS component on the file server that will host our automounted home directories.  The Server for NFS is found under “Other Network File and Print Services” in Add Windows Components.

Once that has been installed, repeat step #2 above (configuring the User Name Mapping Server and Active Directory lookup) on the file server.

We’re now ready to create some NFS shares.  Right-click the folder you’d like to share via NFS (I created a folder named “home”—I know, not very creative) and shared that via NFS (there’s an NFS Sharing tab when you open the properties for the folder).  When specifying the share name, be wary of the case since UNIX/Linux are cAsE sEnSiTiVe.  (It’s probably best to stick to all lowercase.)  If you want to allow anonymous access and/or root access, configure it appropriately at this point.

Word of warning:  be sure to include UNIX-enabled groups and/or users in the NTFS access control list for the folder and containing files!  This one threw me for a loop.  At first, I didn’t have any UNIX-enabled groups in the ACL and I kept getting “insufficient permissions” errors when trying to mount the share via NFS.  It wasn’t until I ensured that at least one UNIX-enabled group had read permission to the folder that things started working as expected.

To test your NFS share, use this command from Solaris or Linux, respectively:

mount -F nfs nfssrvr.example.com:/home/nfs /mnt/nfs (for Solaris)
mount -t nfs nfssrvr.example.com:/home/nfs /mnt/nfs (for Linux)

If this mounts the NFS share without any problems, then you should be ready to roll.

(Note:  In case you hadn’t already picked this up, one advantage of using a Windows NFS server is that we can also share the same folder via CIFS/SMB and create unified home directories for Solaris, Linux, and Windows.)

Now, upon logging in to either Solaris or Linux (I tested this via SSH), you should get dropped into “/home/username” (assuming that’s where you configured the automounter to mount the NFS share) automatically.

How I Tested

I tested this procedure using Solaris 10 6/06 and CentOS 4.3.  These systems were configured for Active Directory integration and native Kerberos logons via SSH.  I used Windows Server 2003 R2 Standard Edition for the NFS server, and Windows Server 2003 R2 Standard Edition for the Active Directory domain controllers.  All of these systems were created as virtual machines hosted on a VMware Virtual Infrastructure 3 server farm with servers running ESX Server 3.0.1.

Tags: , , , , , , , , ,

Event Logging in AD Integration Scenarios

Monday, October 23, 2006 in Interoperability, Security by slowe | 2 comments

To test what kind of logging occurs, I simply used my existing installation of Windows Server 2003 R2 and Active Directory, for which the logging options had not been modified from their “out of the box” settings.  From there, I cleared the security event logs and then attempted an SSH login to a CentOS 4.3 server that has been configured for AD authentication via Kerberos (through PAM, not directly inside SSH).

After the login, I reviewed the event logs and found a large number of entries for the LDAP bind account (the account that is used to bind to Active Directory to retrieve account information, such as UID number, GID number, login shell, home directory, etc.).  These are useless for identifying unique logons to Linux/Unix-based systems.  However, there is one event that is useful—an event ID 672 with the following text:

Authentication Ticket Request:
 	User Name:		bjones
 	Supplied Realm Name:	EXAMPLE.NET
 	User ID:			EXAMPLE\bjones
 	Service Name:		krbtgt
 	Service ID:		EXAMPLE\krbtgt
 	Ticket Options:		0x40800000
 	Result Code:		-
 	Ticket Encryption Type:	0x17
 	Pre-Authentication Type:	2
 	Client Address:		172.16.28.111
 	Certificate Issuer Name:
 	Certificate Serial Number:
 	Certificate Thumbprint:	

For more information, see Help and Support Center at 

http://go.microsoft.com/fwlink/events.asp.

As you can see, this entry clearly identifies the user that was authenticated as well as the IP address of the host to which the user logged in.  Note that the IP address of the workstation from which the user logon originated is not captured here.

OK, that takes care of the typical Linux system.  Now, what about Solaris 10?  I cleared the security event logs (saving them) and attempted an SSH logon to a Solaris server.  As it turns out, Solaris 10 logs two event entries—event ID 672, as above, as well as event ID 673.  The text for event ID 673 is as follows:

Service Ticket Request:
 	User Name:		bjones@EXAMPLE.NET
 	User Domain:		EXAMPLE.NET
 	Service Name:		host-solarishost01
 	Service ID:		EXAMPLE\host-solarishost01
 	Ticket Options:		0x40800000
 	Ticket Encryption Type:	0x3
 	Client Address:		172.16.28.112
 	Failure Code:		-
 	Logon GUID:		{3a653f45-928c-1f72-2c59-ca951986ac42}
 	Transited Services:	-

For more information, see Help and Support Center at 

http://go.microsoft.com/fwlink/events.asp.

This provides the same sort of information as well as the name of the service ticket that was requested by the host.  (Keep in mind, too, that Solaris 10 logged both the event ID 672 and event ID 673, whereas CentOS logged only the event ID 672.)

But what about “native” Kerberos authentication, when a Kerberos ticket is used to authenticate the user?  In this case, I tested three different operating systems:  CentOS 4.3, Solaris 10, and OpenBSD 3.9.  In all three cases an event ID 673, similar to above, was logged.  However, this time it was the IP address of my actual workstation—not the IP address of the server—that was included in the event log text.

In all of the tested scenarios, there was information that identified the specific account that was being authenticated.  However, depending upon whether PAM was involved, the Windows event logs may or may not capture the actual IP address of the originating workstation.  In almost all cases, though, the logs on the Linux, Solaris, or OpenBSD server would capture the IP address of the originating workstation, even if the Windows event logs did not.

Tags: , , , , , , , , , ,

No Broad OpenBSD-AD Integration

Monday, October 16, 2006 in Interoperability, UNIX by slowe | 1 comment

After doing some additional research on the authentication architecture for OpenBSD, I learned that OpenBSD does not support PAM (Pluggable Authentication Mechanism), nor does OpenBSD support NSS (Name Switch Service).  I found this particularly interesting, but not terribly surprising as the OpenBSD leaders have made it very clear that they won’t include software that doesn’t meet their stringent security and licensing requirements.  I suppose that’s a good thing, even if it does make certain tasks impossible.

In any case, I did find some veiled references to login_ldap, which uses the underlying bsd_auth mechanism employed by OpenBSD.  Unfortunately (again), not all the software installed with OpenBSD supports bsd_auth and therefore also doesn’t support login_ldap.

There is a bright spot here, though, and that’s OpenSSH.  OpenSSH supports native Kerberos authentication, i.e., passwordless authentication from a Kerberized SSH client to the OpenSSH daemon, which is itself Kerberized.  I wrote about passwordless Kerberos authentication for Linux and Solaris a while ago; it turns out the process is almost identical for OpenBSD.

To enable native Kerberos authentication in OpenSSH, make sure the following commands are present in the sshd_config file (typically found at /etc/ssh):

KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Be sure to restart the SSH daemon after making these changes.

Also, configure the krb5.conf file (found in OpenBSD at /etc/kerberosV—note the capitalization!) appropriately; refer to any of the Kerberos-related articles here for more information on the appropriate configuration.  For this test, I also created a keytab (using ktpass.exe) and placed it in the /etc/kerberosV directory as well.  I don’t know for sure if that’s required.  As I have time, I’ll do some additional testing and try to find out.

Because there is no NSS support in OpenBSD, you’ll need to maintain accounts (but not passwords) in the local files.  So, to test this, first be sure to create an account (using useradd), create the home directory, and assign appropriate permissions to the home directory.  Otherwise, it won’t work.

Once the configuration changes have been made, SSHd has been restarted, and a local account created, SSH connections from a Kerberos-enabled client (with a valid Kerberos ticket) should just work without any prompt for password.

Although this doesn’t provide the broad integration with Active Directory that some may be seeking, it can at least help with SSH access to the OpenBSD systems, and that’s better than nothing.

Tags: , , , , ,

Refined Solaris 10-AD Integration Instructions

Monday, October 16, 2006 in Interoperability, UNIX by slowe | 115 comments

The original instructions are found here.  Note, however, that this post contains all the information from the original post plus a few added points found during the latest run through the steps.

Assumptions

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.  This will require changes to the “ldapclient manual” command shown below, which handles the schema/attribute mapping.

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux or Solaris to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again this time.

  1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
  2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
  3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
  4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

  • NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
  • UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
  • GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
  • Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
  • Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Preparing Active Directory (Each Solaris Server)

These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

  1. Create a user account (not a computer account) for each Solaris server.  (Review this article for more information on the reasoning behind this approach.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the host service principal, a name like “host-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
  2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary): 
    ktpass -princ host/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

    Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re almost ready to move on to configuring the Solaris servers themselves.  First, though, we need to take care of some name resolution issues.

Configuring Reverse DNS

On the DNS server handling the reverse lookup zones for the subnet on which the Solaris server is located, add a PTR record for the Solaris server and it’s IP address.  This will ensure that reverse DNS lookups work as expected.  Make sure that each Solaris server that will be authenticating against Active Directory has a reverse lookup record in DNS.

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring the hosts file

To enable reliable TGT validation (this ensures that the Kerberos ticket returned by a KDC actually came from the KDC and not a spoofed server), you’ll need to edit the hosts file.  On Solaris 10, this is found in /etc/inet/hosts and is read-only, even for root.  Edit this file (changing permissions as necessary) so that the line with the server’s IP address looks something like this:

10.1.1.1        hostname.example.com hostname loghost

What we’re doing here is making sure that the server’s fully qualified domain name (not just the short hostname) is the first name entry on the line for the server’s IP address.

There may or may not be other entries in the file; leave those entries untouched (unless you know you need to modify them).

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

You can’t simply copy and paste from here to the Solaris configuration file, as you’ll need to customize your version for your particular network, hostnames, domain names, etc.

Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

While you’re editing /etc/nsswitch.conf, be sure to add a “dns” entry at the end of the line for hosts:

hosts          files dns

This will help ensure that Solaris is properly configured to use DNS for host name resolution.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring the DNS Client

You’ll also need to make sure that the DNS client is enabled and running.  Using “svcs -a | grep dns” will help you identify the correct service, which you can then enable with svcadm:

svcadm enable svc:/network/dns/client:default

Test DNS resolution using either the “host” or “nslookup” commands.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Reboot the Solaris Server

I know this sounds stupid, but even after restarting LDAP and enabling/starting/restarting the DNS client, things still didn’t work for me in the lab.  However, after rebooting the Solaris server, it worked like a champ.  So, just in case, reboot the Solaris server after completing the configuration.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

  • You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
  • You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

Tags: , , , , ,

LDAP-Based Access Control

Friday, September 8, 2006 in Interoperability by slowe | 49 comments

First off, let’s set some expectations.  First, I performed this testing using CentOS (version 4.3) and Windows Server 2003 R2, both running as VMs on VMware ESX Server (version 3.0.0).  Active Directory and the CentOS server were configured for Kerberos authentication as described in my Linux-AD integration instructions.  Second, I used OpenSSH (version 4.2p1 on the client, version 3.9p1 on the server) as the vehicle for testing host access.  If you are using telnet, HTTP, or something else, the configuration will look very different.  Third, and finally, I can’t guarantee you that this procedure will work flawlessly in your environment.  It should, however, get you well down the road to completion.

OK, now you’re ready to get rolling.  Note:  If you’ve configured your SSH server for native Kerberos authentication, the changes we’re going to make below are going to break that.  Sorry, I couldn’t find any way around that.

Configure OpenSSH

Edit your /etc/ssh/sshd_config file and make sure that the following line is present:

UsePAM yes

(This is the piece that breaks native Kerberos authentication, by the way.)  SSHd will need to re-read the configuration after making this change in order for the change to take effect; restarting sshd is an easy way to do that.

Configure PAM

Because PAM configurations vary from client to client, I can’t give you the exact configuration and placement that you need.  The CentOS configuration, which would be virtually identical to Red Hat/Fedora, is described below.  Please be sure to adjust as needed for your particular Linux distribution (or flavor of Unix).

Add the following line to the top (first line) of the “account” section of the /etc/pam.d/system-auth file:

account   sufficient   /lib/security/$ISA/pam_ldap.so

You should be able to leave the rest of the file intact.

Configure LDAP

(Just as quick aside, you should be aware by now that modifying ldap.conf really only affects the pam_ldap and nss_ldap modules, not OpenLDAP itself.  OpenLDAP is typically configured elsewhere.)

Make the following changes to the /etc/ldap.conf file:

pam_groupdn cn=GroupName,ou=OUName,dc=example,dc=net
pam_member_attribute member

These lines may already be present, and you may only have to uncomment them and substitue the correct value for the pam_groupdn parameter.  Do NOT copy and paste the pam_groupdn line as shown above; they won’t work!  (The pam_member_attribute line is fine to copy and paste.)  Just put in the correct DN for the group that you’d like to use to control access to that particular host.  Members of that group will be allowed access; others will be denied.

If the group name includes spaces, enclose the entire DN in double quotes (i.e, pam_groupdn “cn=Group Name,cn=Users,dc=example,dc=net”).

Configure Active Directory

This part should be obvious, but be sure to create the appropriate group (making sure that the DN of the group matches what you specified in /etc/ldap.conf on the Linux/Unix server).  Add user accounts that should be allowed access to the Linux/Unix host in question to this group (you may find it necessary or desirable to create multiple groups so that you can have fine-grained control over which hosts may be accessed by which users).  The testing I performed indicated that the group did not need to be Unix-enabled in AD; your mileage may vary.

Verify and Test

To verify and test the configuration, add a user account to the appropriate group and then try to login to the Linux/Unix server via SSH.  Everything should work just fine.  Take the user out of the group and try again; the login should fail.

I’m open to comments, suggestions for improvement, and corrections to this procedure.  Also, if any of you out there have had the opportunity to try this on different Linux distributions or other Unix-based operating systems and want to share configs, please do so in the comments.

Tags: , , , , , ,

Kerberos TGT Validation

Friday, September 1, 2006 in Interoperability by slowe | 3 comments

I performed some testing with both CentOS 4.3 and Solaris 10, two of the platforms for which I’ve penned instructions on how to integrate authentication with Active Directory (using Kerberos and LDAP). I was hoping that I would see the same behavior on both platforms, but my testing showed otherwise.

First, let’s recap briefly. Unless the setting “verify_ap_req_nofail = false” is in the krb5.conf file (in the /etc directory on CentOS, in the /etc/krb5 directory on Solaris), the Kerberos libraries will attempt to perform TGT validation. The purpose behind TGT validation is to ensure that the KDC is indeed who it claims to be; this prevents spoofing of the KDC and helps protect the KDC’s status as a “trusted third party” to the authentication process.

As a number of people have begun attempting to use the instructions that I created (here are the Linux instructions and here are the Solaris instructions), TGT validation has come up a number of times as something that users are having a hard time with, and thus far I have been unable to offer any real guidance. Hopefully, with this testing, I will have gotten closer to a concrete answer regarding TGT validation.

There are a number of things that you should check when running into TGT validation problems:

  • First, ensure that the key version number (kvno) for the key table on the Linux server matches what is listed in Active Directory. The msDS-KeyVersionNumber attribute in Active Directory shows the kvno; the “klist -k” command on Linux/Solaris will show that information for the key table entries. I have seen references, but have not yet had the opportunity to personally test, that not specifying the password on the ktpass.exe command line (when generating the keytab entries) causes a mismatch between the keytab entry and Active Directory.
  • There is a hotfix available from Microsoft for Windows Server 2003 SP1 and later that addresses a problem with generating key table entries for computer accounts. This Microsoft support article describes the problem and the hotfix. Either use this hotfix, or switch to using user accounts instead of computer accounts.
  • Make sure your key table entries are generated with the proper case. I initially suspected that some parts of the SPN may need to be uppercase (aside from the REALM, which is always uppercase), but I think that is only the case when using GSSAPI/SPNEGO authentication with IIS or Apache, as described here. In that specific case, the “HTTP” must be uppercase. In all other instances of the Kerberos authentication I’ve tested, using lowercase is fine. In fact, the OpenSSH client (at least, version 4.2p1 on Mac OS X 10.4.7) will automatically request a ticket with a lowercase SPN if GSSAPI authentication is enabled. (This would be enabled if you were trying to achieve passwordless, Kerberized SSH logins.)

In some instances, however, people have tried all these things and still get TGT validation errors. What then?

Strangely enough, check the /etc/hosts file. Your /etc/hosts file should look something like this:

#
# Internet host table
#
127.0.0.1       localhost
192.168.2.109   vserver01.example.net vserver01

If your /etc/hosts file looks like this instead, you’ll need to fix the order of the hostnames:

#
# Internet host table
#
127.0.0.1       localhost
192.168.2.109   vserver01 vserver01.example.net

See the difference? It’s in the order of the names for the server’s IP address. Yes, the order of the names—single label hostname vs. fully qualified domain name—will make a difference. On CentOS, switching the names so that the single label hostname is first causes passwordless Kerberized SSH logins to fail, presumably due to TGT validation problems. (Due to time constraints, I haven’t been able to dial up the logging on the CentOS server to verify this for certain, but I will soon, and will post an update to this article with those findings.)

I was hoping that Solaris would show the same results, since my first foray with Kerberos integration with Solaris showed some TGT validation problems that later mysteriously and unexplicably went away. However, Solaris doesn’t seem to care about the order of the names in the /etc/hosts file, so this isn’t the missing link I was hoping it would be.

Hopefully, this new information will help some of you out there that are still struggling with TGT validation. If anyone else has found any tricks or useful tips, please be sure to post them in the comments.

Tags: , , , , , , ,

Follow Ups on Solaris, Native Kerberos Authentication

Tuesday, August 29, 2006 in Interoperability, UNIX by slowe | 4 comments

If you haven’t read the previous articles, take a quick moment to review them before continuing:

Solaris 10 and Active Directory Integration
Native Kerberos Authentication with SSH

Initially, problems cropped up with both of these, but it seems as if the problems have been resolved.

Solaris 10 and Active Directory Integration

The problem, as outlined in the original article, was that TGT validation wasn’t working. The only way to make Kerberos authentication (via pam_krb5) to work was to disable TGT validation.

Since that time, I have re-enabled TGT validation, and everything seems to work just fine. I believe that the problem was in the /etc/hosts file, since I’ve been seeing a fair number of comments in the various articles dealing with AD integration of non-Windows platforms. I believe that the fix is making sure that the server’s fully qualified domain name is listed first in the /etc/hosts file, like so:

127.0.0.1       localhost localhost.localdomain
10.1.1.1        hostname.example.com hostname
<...other entries as needed...>

On the line where the server’s IP address is listed, make sure that the fully qualified domain name is listed first. I can’t be absolutely sure that this is the fix, but this is the only thing I can think of that I did on both Linux and Solaris. I hope to perform some testing later this week and I’ll post the results here.

Native Kerberos Authentication

The problem here was again the Solaris server—or so it seemed. I had (and currently have) it working with a CentOS server; I can obtain a Kerberos ticket and then transparently authenticate to the CentOS server without getting prompted for a password. With the Solaris server, though, I kept getting a “Server not found in Kerberos database” when attempting to connect. It wasn’t until today that I realized that the key difference between the Linux installation and the Solaris installation was that the Solaris server was in a different DNS domain. Since my PowerBook didn’t have the equivalent of an /etc/krb5.conf to match DNS domain names with Kerberos realms, it was trying to obtain a ticket for a realm that does not exist. More appropriately, it was contacting a Kerberos realm that did not have a matching entry with the right SPN, hence the “Server not found in Kerberos database” error.

To verify this, I edited the /etc/krb5.conf file on a Linux server to map DNS domains and Kerberos realms (i.e., mapped “example.net” to “ad.example.net”), obtained a Kerberos TGT using kinit, and then attempted to make an SSH connection to the Solaris server. Lo and behold, it worked! I verified this quickly on Mac OS X using the built-in Kerberos application to properly map DNS domains to Kerberos realms, and it worked as well.

<aside>You are supposed to be able to use Cmd-E in Kerberos.app to edit the domain-realm mapping. However, I found that keystroke doesn’t work until a Kerberos preferences file (named edu.mit.Kerberos, either in ~/Library/Preferences or /Library/Preferences) is created. This file is simply the equivalent of an /etc/krb5.conf file as you might see on any other Unix-related platform. Once that file had been created—even if it was empty—the Cmd-E shortcut and the Edit Realms command on the Edit menu worked as expected.</aside>

So, the server was not the problem, instead it was the configuration of my PowerBook all along. Go figure! In any case, it is working now. The lesson to be learned: be sure that either your Kerberos realm maps perfectly to Active Directory’s DNS name, or be sure client machines are properly configured for domain-realm mappings.

Tags: , , , , ,

Native Kerberos Authentication with SSH

Monday, August 21, 2006 in Interoperability by slowe | 2 comments

First, a quick disclaimer: I have only tested this in a very limited configuration. Namely, using OpenSSH 4.2p1 on Mac OS X (as reported by “ssh -V”) to connect to OpenSSH 3.9p1 on CentOS 4.3 (again, as reported by “ssh -V”). I have been trying to get it to work with the SSH server in Solaris 10 but have been unsuccessful thus far (more on that in a moment).

Configuring the SSH Server

First off, you’ll need to make sure that the OpenSSH server’s Kerberos configuration (in /etc/krb5.conf) is correct and works, and that the server’s keytab (typically /etc/krb5.keytab) contains an entry for “host/fqdn@REALM” (case-sensitive). I won’t go into details on how this is done again; instead, I’ll refer you to any one of the recent Kerberos-related articles (like this one, this one, or even this one). Just be sure that you can issue a “kinit -k host/fqdn@REALM” and get back a Kerberos ticket without having specify a password. (This tells you that the keytab is working as expected.)

Next, configure the /etc/ssh/sshd_config file (the system-wide SSH daemon configuration file) to include the following lines (note that these lines may already be present, just commented out; other lines may be present, but with different values):

KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no

After these changes are made, you’ll need to restart the SSH daemon.

Configuring the SSH Client

Because the OpenSSH client configuration does not include GSSAPI authentication by default, you’ll most likely need to modify your SSH client configuration. Edit the global client-side configuration file; on Mac OS X it’s found as /etc/ssh_config. Change it to include the following lines:

Host *.example.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

This limits GSSAPI authentication to only those hosts in the example.com domain. Modify the domain to be the appropriate domain for your network.

Testing the Configuration

Obtain a valid Kerberos ticket from Active Directory. On Mac OS X, you can use the excellent Kerberos.app that’s bundled with the system to obtain a ticket. You can also just use “kinit username” from the command line.

Once you have a ticket, you should be able to simply “ssh fqdn.of.server” and you will get logged in, without getting prompted for a password. If you get prompted for a password, go back and double-check your keytab, your SSH daemon configuration, and the time configuration on your OpenSSH server. Because Kerberos requires time synchronization, differences of greater than 5 minutes will cause the authentication to fail.

Future Configurations

As I mentioned earlier, I have also been trying to make this work with the SSH server bundled with Solaris 10 (which, as I understand it, is not OpenSSH). So far, I have been unsuccessful in this effort, even though the pam_krb5 integration (having the keyboard-interactive login checked/authenticated via Kerberos) is working just fine. Sun’s SSH server is supposed to include GSSAPI authentication enabled by default, but for some reason my client is throwing a “Server not found in Kerberos database” error (seen when running “ssh -vvv full.server.name”). I’m not yet sure what’s going on there, but I intend to continue to research the problem and try to find a solution. Solaris gurus out there, I’m open for suggestions.

UPDATE: The problems with Kerberos SSH logins to Solaris was a client-side issue; read more about that here.

Tags: , , , , , , ,

More on Kerberos Authentication Against Active Directory

Monday, August 21, 2006 in Interoperability by slowe | 9 comments

I’ll break the information down according by the article to which the information pertains.  If the information pertains to all the articles equally, it is included in the “All Articles” portion.  Links back to the original articles are included.

All Articles

User Accounts vs. Computer Accounts

One thing in common across all these articles is the need to create special accounts in Active Directory. I originally recommended the use of computer accounts, but over the course of time additional integration tasks with Kerberos have led me to believe that the user of user accounts, not computer accounts, is the best way to handle this.  In a very early Linux-AD integration article, I discussed the use of computer accounts instead of user accounts, and the use of the ktpass.exe command to extract a keytab from a computer account.  At that time, it seemed reasonable to recommend computer accounts—we were only discussing a single service principal (the host itself), and using a computer account made sense.

However, because of the fact that additional accounts will have to be created for additional service principals (for example, if you are interested in using Kerberos-based SSO with Apache) and because you can’t have multiple computer accounts with the same name, it’s just as well to use a user account with a naming convention that describes the purpose of each account.  For example, something like “host-fqdn” for the host/fqdn@REALM service principal (used for scenarios involving pam_krb5 and “native” Kerberos/GSSAPI authentication), and “http-fqdn” for the HTTP/fqdn@REALM service principal (used by mod_auth_kerb for Apache-Kerberos integration).  This provides an easy way to distinguish between these accounts, and allows for the multiple accounts that are required in these kinds of scenarios.

Finally, the use of user accounts will eliminate some spurious error messages that ktpass.exe generates when run against a computer account.  Note that these error messages are not substantive; things will still work with a computer account.  It’s just that ktpass.exe appears to have been intended to run against a user account.

Updated ktpass.exe Command Line

In addition, because of differences in the encryption types supported by Active Directory and many Unix/Linux implementations, I have found that using the “+DesOnly” switch with ktpass.exe seems to help.

An updated ktpass.exe, accounting for the change to a user account and the desire to use DES encryption types, would look something like this:

ktpass.exe -princ host/fqdn@REALM -mapuser DOMAIN\account
-crypto des-cbc-md5 +DesOnly -pass Password123 -ptype KRB5_NT_PRINCIPAL
-out c:\filename.keytab

Please note that this command, particularly the service principal name (as specified by the “-princ” parameter) is CASE SENSITIVE.  For example, the host SPN (i.e., “host/fqdn@REALM”) that is used by pam_krb5 and “native” Kerberos/GSSAPI authentication is lowercase.  However, the HTTP SPN (used by mod_auth_kerb with Apache) needs to be uppercase.  In both cases, the Kerberos realm (which should be equivalent to the Active Directory DNS domain name) must be in uppercase.

Linux-AD Integration (Pre-R2)

The original article is found here.

In addition to the switch from a computer account to a user account as described above, the only real change to this article pertains to the /etc/ldap.conf file that configures the nss_ldap library.  Remember that in almost all of these scenarios, we are using Kerberos for authentication and LDAP for account information, i.e., storing the information that would normally be stored in /etc/passwd.

The original article calls for /etc/ldap.conf to include this line:

nss_base_group dc=mydomain,dc=com

To help optimize LDAP traffic against Active Directory, change the /etc/ldap.conf as follows:

nss_base_group dc=mydomain,dc=com?sub?
&(objectCategory=group)(gidnumber=*)

(This should all be on a single line.)  This will help reduce the query load on Active Directory by limiting the types of objects for which searches will be issued; in addition, the “objectCategory” type is indexed, which also also greatly speed operations.

Speaking of indexing, if the pam_login_attribute is not modified (it defaults to uid), you’ll also need to index the uid attribute in order to avoid heavy CPU utilization and delays in responses from Active Directory.  This was mentioned in the updated Linux-AD R2 instructions.  Alternately, you can change the pam_login_attribute in /etc/ldap.conf to an indexed attribute, like sAMAccountName.

Last, you may find it useful to edit /etc/ldap.conf and change the gecos field mapping from name to cn (i.e., use “nss_map_attribute gecos cn” instead of “nss_map_attribute gecos name”).

Linux-AD Integration (R2)

The latest version of these instructions are found posted here.

Again, other than the change to a user account instead of a computer account (as described above), the changes mentioned in the previous section also apply here:

  • Changing the nss_base_group in /etc/ldap.conf
  • Changing the nss_map_attribute for gecos in /etc/ldap.conf
  • Changing the pam_login_attribute to an indexed attribute in Active Directory (such as sAMAccountName) or indexing the uid attribute

Otherwise, the revised instructions are reasonably accurate and seem to work pretty well.

Kerberos-Based SSO with Apache

This article is found here, and already incorporates most of the changes mentioned in this posting.  No suggested changes are needed at this time.

Solaris 10 and AD Integration

This article can be found posted here.

This one is a pretty recent article (published within the last week or so), and so already incorporates most of the changes suggested here.  The information that I don’t have yet, however, is exactly how to incorporate some of the other suggested changes.  For example, I’m not yet sure how to use the ldapclient command to modify the LDAP client profile (Solaris 10 doesn’t use nss_ldap by default) to include the refined group query.  I suspect that this command would work correctly:

ldapclient mod -a serviceSearchDescriptor=group:dc=example,dc=com?sub
?&(objectCategory=group)(gidNumber=*)

Of course, the ldapclient command syntax would change depending upon if this was an initial setup or a change to an existing setup.

Likewise, I’m not sure which login attribute the Solaris LDAP libraries are looking for—uid, sAMAccountName, or something else entirely?  If anyone with more Solaris 10 experience than me has the answers to these questions, I’d love to know.

As I continue to expand my knowledge of using Kerberos to integrate these various platforms and applications, I’ll post additional information here.  I know that a number of you have been posting questions in the comments for these various articles; keep the questions coming.  I may not know the answer right away, but I’ll sure do my best to find out!

Tags: , , , , , ,

Solaris 10 and Active Directory Integration

Tuesday, August 15, 2006 in Interoperability, UNIX by slowe | 56 comments

As with the procedure for authenticating Linux against Active Directory and providing Kerberos-based SSO with Apache, there are a few steps to be performed.  Some of these steps are performed on the Active Directory side, some of them are performed on the Solaris 10 system.

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again with Solaris.

  1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
  2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to my updated Linux-Windows Server 2003 R2 integration instructions, linked above.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
  3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
  4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

  • NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
  • UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
  • GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
  • Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
  • Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Preparing Active Directory (Each Solaris Server)

These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

  1. Create a user account (not a computer account) for each Solaris server.  (Note that this is different than the instructions provided for integrating Linux.  I have an article planned to discuss this in more detail, but for now just trust me.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the HOST service principal, a name like “HOST-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
  2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary): 
    ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

    Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re ready to move on to configuring the Solaris servers themselves.

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Your particular information will need to be supplied here, of course, so you can’t simply copy and paste from here to the Solaris configuration file.

Of particular interest here is the “verify_ap_req_nofail = false” parameter.  I’m still shaking out some TGT validation/verification errors, and this is currently the only way to make authentication work from Solaris.  As soon as I get the validation/verification problems sorted out, I’ll post a new version of these instructions.

Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

  • You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
  • You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

How I Tested

I tested this configuration using Solaris 10 x86 6/06 (the June 2006 release) running as a VM under VMware ESX Server 3.0.0.  Authentication was performed against a pair of virtual servers (one hosted on ESX 3.0.0, the other on ESX 2.5.3) running Windows Server 2003 R2, Standard Edition.

Tags: , , , , ,

« Older entries § Newer entries »