Integrating UNIX and Windows with Kerberos

The following is just my notebook on how this can be accomplished. No guarantees that it's complete or correct, but hopefully it will provide a good start.

Authenticating UNIX into a Kerberos realm based on a Windows Active Directory server

Yes, it is entirely inappropriate to put your authentication server on a Windows machine. But face it, this is the problem that people often want to solve.

Assumptions:

1. You already have a Windows (2000 or later) Active Directory server already up and running.
2. That Domain Controller is going to be the Kerberos server.
3. You have ripped out the incorrect Microsoft approximation to Kerberos and installed the real thing from MIT:
   http://web.mit.edu/kerberos/www/dist/
   If you try to use Microsoft's broken version, it will not necessarily interoperate with anything other than Microsoft. Yet another attempt to build up the Evil Empire? Probably not: "Never credit to ill intent that which incompetence or ignorance can explain."
4. Your Kerberos realm and AD domain are both EXAMPLE.COM.
5. Your Active Directory server is ad.example.com and its IP address is 10.0.0.1,
6. We have one UNIX host to set up as a Kerberos client. Its hostname is unix.example.com and its IP address is 10.0.0.2.

1. Make the Active Directory server aware of the UNIX host

For each UNIX host, add a user account to the AD server. The account's first name and login name must be the hostname of the UNIX host. In our example:

2. Generate a keytab file (on the Windows AD/Kerberos server)

On the Windows AD/Kerberos server, make sure that the Kerberos configuration utilities are installed. Windows distribution media may hide this in support/tools. Install it with its setup.exe.

Run the Ktpass utility. There are just two commands here -- your browser may break the second line into two. Everything from Ktpass to unix.keytab is supposed to be one line. Change every instance of unix in the below as needed for each host.

Now you must securely transfer the file unix.keytab to the host unix. Hide it somewhere safe like /root/unix.keytab for now. And of course, remove that file from the Windows machine!

3. Create /etc/krb5.conf (on the UNIX client)

There should be an example file already in place. Edit that file, and notice it is grouped into stanzas with headings in square brackets. Modify the libdefaults section:

Also modify the realms section:

Finally, modify the domain_realm section to handle sub-domains:

4. Verify that /etc/services has what it needs (on the UNIX client)

Verify that /etc/services contains these port definitions:

5. Integrate the newly generated keytab file (on the UNIX client)

Use the ktutil command to manage the keytab files. We are going to read in the new keytab file, write it to the master keytab file, and quit:

6. Verify that you can get Kerberos credentials on the UNIX client

Test things by hand, verify that your user account can now get Kerberos credentials.

Use kinit to get the TGT, the Kerberos identity credentials.

Use kpasswd to change the Kerberos password.

7. Set up PAM on the UNIX client

The convenient and manageable way of using PAM is what Red Hat and similar distributions have done -- use the pam_stack.so library to basically include a standard stack of rules in any service. That way you only have to modify one rule set to configure Kerberos authentication for any service using that stack.

Make that standard stack look like the following. If you are using something derived from Red Hat, it is probably in the file /etc/pam.d/system-auth

8. Before you dive in....

Make sure you look through the manual pages for the commands and configuration files you will be using:
man krb5.conf
man ktutil
man kinit
man kpasswd
man pam_krb5.so
man -k pam

© Bob Cromwell Sep 2008. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here