Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticate local Linux accounts against Windows Active Directory

Published byPaul Barker Modified over 6 years ago

Similar presentations

Presentation on theme: "Authenticate local Linux accounts against Windows Active Directory"— Presentation transcript:

1 Authenticate local Linux accounts against Windows Active Directory
Matt Hargrave GM Financial

2 Overview What is Kerberos Kerberos vs LDAP PAM pam_krb5 Setup
krb5.conf sshd sudo httpd Samba Moving Foward

3 What we needed Have a single password for every user for every service
Maintain control of users on a server level Use an universal (secure) authentication mechanism

4 Kerberos Developed at MIT and released as open source in 1987
Named after three headed dog that guarded the gates of hades Version 5 Uses tickets to authenticate Everyone uses it

5 Why Kerberos and not LDAP?
Pros Quick and Simple Control over users Three headed dog (Cerberus) Cons User Management Dependent on Windows Server

6 Pluggable Authentication Module
High level interface to low level schemes Supported on plethora of Unix and Unix like systems

7 The magic is in pam_krb5 Developed by Red Hat (Nalin Dahyabhai)
Aims to work with minimal configuration

8 yum install pam_krb5 krb5_workstation
Setup...

9 /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = SERVER1.EXAMPLE.COM:88 admin_server = SERVER1.EXAMPLE.COM:749 kdc = SERVER2.EXAMPLE.COM:88 admin_server = SERVER2.EXAMPLE.COM:749 default_domain = EXAMPLE.COM } [domain_realm] .EXAMPLE.COM = EXAMPLE.COM .TEST.EXAMPLE.COM = EXAMPLE.COM [logging] kdc = SYSLOG:INFO admin_server = FILE=/var/krb5/log/kadmin.log

10 SSHD /etc/sshd_config /etc/pam.d/sshd UsePAM yes
KerberosAuthentication no Using this option works perfectly fine. However, it will bypass the PAM options. /etc/pam.d/sshd

11 SSHD Cont… #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_unix.so shadow md5 likeauth nullok auth requisite pam_succeed_if.so uid >= 200 quiet auth sufficient pam_krb5.so auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 nullok use_authtok session required pam_unix.so session required pam_limits.so session optional pam_krb5.so session required pam_selinux.so close session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke

12 SUDO /etc/pam.d/sudo #%PAM-1.0 auth sufficient pam_unix.so
auth sufficient pam_krb5.so account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so

13 Non-PAM configurations...

14 HTTPD auth_kerb_module .htaccess AuthType Kerberos
KrbAuthRealm EXAMPLE.COM KrbMethodNegotiate off KrbVerifyKDC off Require valid-user AuthGroupFile /path/to/file

15 Samba /etc/samba/smb.conf net ads join -Uadministrator
workgroup = EXAMPLE realm = EXAMPLE.COM security = ADS client NTLMv2 auth = YES net ads join -Uadministrator

16 Things to consider... root (or account with sudo access) to have local password for backdoor DNS bug?

17 Moving Foward SSSD (System Security Services Daemon)
Identify Management (FreeIPA) SSSD – Creates a framework for services to access remote directories and authentication mechanisms (such as FreeIPA)

18 Questions?

Download ppt "Authenticate local Linux accounts against Windows Active Directory"

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.

Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008.

Custom Authentication Services Jim McCusker (Yale University) Arch/VCDE F2F October 29, 2008.
Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.

Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.

Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff.

Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff.
User Management in LHCb Gary Moine, CERN 29/08/2015 1.

User Management in LHCb Gary Moine, CERN 29/08/

Similar presentations

Ads by Google