UNIX / Linux keyboard.

Integrating UNIX and Windows with Kerberos

Authenticating UNIX into a Kerberos realm based on a Windows Active Directory server

The following is just my notebook on how this can be accomplished. No guarantees that it's complete or correct, but hopefully it will provide a good start.

Yes, it may be entirely inappropriate to put your authentication server on a Windows machine. But face it, this is the problem that people often have to solve.

Assumptions:

  1. You already have a Windows (2000 or later) Active Directory server already up and running.
  2. That Domain Controller is going to be the Kerberos server.
  3. You have ripped out the incorrect Microsoft approximation to Kerberos and installed the real thing from MIT:
    http://web.mit.edu/kerberos/www/dist/
    If you try to use Microsoft's broken version, it will not necessarily interoperate with anything other than Microsoft. Yet another attempt to build up the Evil Empire? Probably not: "Never credit to ill intent that which incompetence or ignorance can explain."
  4. Your Kerberos realm and AD domain are both EXAMPLE.COM.
  5. Your Active Directory server is ad.example.com and its IP address is 10.0.0.1,
  6. We have one UNIX host to set up as a Kerberos client. Its hostname is unix.example.com and its IP address is 10.0.0.2.

1. Make the Active Directory server aware of the UNIX host

For each UNIX host, add a user account to the AD server. The account's first name and login name must be the hostname of the UNIX host. In our example:

First name unix
Login unix@example.com
Password somegoodpassword

2. Generate a keytab file (on the Windows AD/Kerberos server)

On the Windows AD/Kerberos server, make sure that the Kerberos configuration utilities are installed. Windows distribution media may hide this in support/tools. Install it with its setup.exe.

Run the Ktpass utility. Change every instance of unix in the below as needed for each host.

c:\wherever\you\are\> cd /
c:\> Ktpass -princ unix/unix@EXAMPLE.COM -mapuser unix -pass somegoodpassword -out unix.keytab

Now you must securely transfer the file unix.keytab to the host unix. Hide it somewhere safe like /root/unix.keytab for now. And of course, remove that file from the Windows machine!

3. Create /etc/krb5.conf (on the UNIX client)

There should be an example file already in place. Edit that file, and notice it is grouped into stanzas with headings in square brackets. Modify the libdefaults section:

[libdefaults]
   default_realm = EXAMPLE.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
   default_tkt_enctypes = des-cbc-md5
   default_tgs_enctypes = des-cbc-md5 

Also modify the realms section:

[realms]
   EXAMPLE.COM = {
       kdc = ad.example.com:88
       kpasswd_server = ad.example.com:464
   }

Finally, modify the domain_realm section to handle sub-domains:

[domain_realm]
   .example.com = EXAMPLE.COM

4. Verify that /etc/services has what it needs (on the UNIX client)

Verify that /etc/services contains these port definitions:

kerberos   88/tcp  kerberos5 krb5    # Kerberos v5
kerberos   88/udp  kerberos5 krb5    # Kerberos v5
kpasswd   464/tcp  kpwd              # Kerberos passwd
kpasswd   464/udp  kpwd              # Kerberos passwd

5. Integrate the newly generated keytab file (on the UNIX client)

Use the ktutil command to manage the keytab files. We are going to read in the new keytab file, write it to the master keytab file, and quit:

unix:/root # ktutil
ktutil: rkt /root/unix.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
unix:/root # 

6. Verify that you can get Kerberos credentials on the UNIX client

Test things by hand, verify that your user account can now get Kerberos credentials.

Use kinit to get the TGT, the Kerberos identity credentials.

Use kpasswd to change the Kerberos password.

7. Set up PAM on the UNIX client

The convenient and manageable way of using PAM is what Red Hat and similar distributions have done — use the include directive to load a standard stack of rules in any service. That way you only have to modify one rule set to configure Kerberos authentication for any service using that stack.

Make that standard stack look like the following. If you are using something derived from Red Hat, it is probably in the file /etc/pam.d/system-auth

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_krb5.so
auth sufficient /lib/security/pam_unix.so md5 shadow likeauth use_first_pass
auth required /lib/security/pam_deny.so

8. Before you dive in....

Stupid microsoft error message.

Make sure you look through the manual pages for the commands and configuration files you will be using:

man krb5.conf
man ktutil
man kinit
man kpasswd
man pam_krb5.so
man -k pam 

To the main Linux / Unix page To the main Security page