1

Is it possible to configure ldap+kerberos authentication on a linux machine without joining it to windows domain? I have to create a pool of VMs using RHEVM with a pretty short lifetime and I do not want to join/remove them every single time to/from domain. And I strongly do not want to install a secondary ldap only for a small amount of VMs. Any ideas?

tokitux
  • 29
  • 1
  • 3
  • Do you want users of this linux machine to login via Kerberos/LDAP? Yes, this is possible, just search for PAM Kerberos/LDAP authentication. E.g. https://wiki.debian.org/LDAP/Kerberos could be a good start. – Andrey Sapegin Mar 03 '15 at 15:41
  • What, if any, are your single sign-on goals relative to Windows accounts? – kmarsh Mar 03 '15 at 18:04
  • @kmarsh I want to get account info (username, uid/gid, homedir, shell) from ldap and authenticate user via kerberos. Just lookup, without integration – tokitux Mar 04 '15 at 08:07
  • You will need to enable Unix Attributes in Active Directory by adding the "Identity management for UNIX" role service in Server Manager, and create an LDAP Bind Account that can be a member of Domain Guests. – kmarsh Mar 04 '15 at 13:49
  • @kmarsh It's already done. Maybe sssd somehow misconfigured. – tokitux Mar 04 '15 at 13:52

1 Answers1

2

Yes, if you use Red Hat or any other RHEL-based distro (Feodra, CentOS, Scientify, Oracle Linux to name a few):

$ authconfig-tui

This would walk you through the setup. Use:

  • User information: LDAP
  • Authentication: Kerberos (with Shadow and Local authorization being set as well)

This should get you up and running pretty quickly.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
  • So, there is no hugh difference between ldap auth thru AD or some other ldap provider? Unfortunately, configuring sssd using authconfig didn't help. – tokitux Mar 04 '15 at 07:31
  • Not sure if I understand your question. For auth, you're using `kerberos`. Pretty straight forward setup. You just require domain information. You could use AD for user information or keep it local but then you'll need your account names to matchup with what's in AD. I've gone the 2nd route because then I could use local users as an authorization layer while still using AD for authentication. – Belmin Fernandez Mar 04 '15 at 12:18
  • Well, if I understand the AD concept right, a workstation must be a part of Windows environment to obtain all the benefits it provides such as user and computer management, group policies and so on. But I do not need all this stuff, because it is rather useless on unix workstation. I need only two parts of AD: ldap database to obtain users' account information and kerberos kdc to authenticate them. So the question is how to bind my workstation to AD ldap and how to configure kerberos client without establishing any domain relationships with AD. – tokitux Mar 04 '15 at 13:28
  • Right, `authconfig-tui` will help you get that setup if you have RHEL-based distro. It configures `pam-krb5` to authenticate with AD without it being part of the domain and gets user info via LDAP. – Belmin Fernandez Mar 04 '15 at 13:30
  • Seems it must work, but it doesn't :( `getent passwd` shows only local users. Otherwise `kinit username` successfully obtains a TGT from KDC. – tokitux Mar 04 '15 at 13:49
  • See my comment under your question. – kmarsh Mar 04 '15 at 13:51
  • Debug by working out the correct query with ldapsearch and then modify Linux settings to get getent to do the same thing. I've never gotten a system to fully work with just authconfig-tui.... – kmarsh Mar 04 '15 at 13:57
  • Every LDAP deployment is different. So yeah, as `kmarsh` said, you'll need to modify LDAP lookup appropriately. – Belmin Fernandez Mar 04 '15 at 16:29