2

How do I make openBSD to authenticate to Windows server 2008R2? I currently have installed Identity Management for Unix (IDMU). Also I have installed login_ldap in openbsd. but I dont know what to configure in the openBSD client and the windows server 2008. My goal is to have accounts create in the windows sever directory structure and be able to login with those accounts from the openbsd computer.

Dave M
  • 4,494
  • 21
  • 30
  • 30
Enmanuelh17
  • 21
  • 5
  • I dont think whether this post can help you guys help. http://serverfault.com/questions/20202/authenticating-openbsd-against-active-directory but it will be really appreciate if someone know the steps to get this working. – Enmanuelh17 May 08 '15 at 21:09
  • samba is your answer, to join the server in the AD. but iam not placed to answer you. https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html – yagmoth555 May 09 '15 at 01:35
  • Maybe http://serverfault.com/questions/20202/authenticating-openbsd-against-active-directory can help. If you only need authentication for a single service, such as OpenSSH, have a look at http://blog.scottlowe.org/2006/10/16/no-broad-openbsd-ad-integration/ – philippe May 09 '15 at 17:10
  • kerberos does not work in openbsd anymore they took it out because it didnt meet their security specifications. – Enmanuelh17 May 14 '15 at 16:38
  • You can recompile with kerberos included. Will be doing for my own systems and will report back with my findings. – Aaron Mason Jan 07 '16 at 03:27
  • Correction - you can install the Heimdal package. I've just got to update my box to 5.8 to see if this works going forward. – Aaron Mason Jan 07 '16 at 03:52

1 Answers1

1

Actually, the package you need is login_krb5. The other package you need is the heimdal package. You will also need to upgrade to 5.7 as heimdal isn't available as a package in 5.6.

Once you've done that, copy /usr/local/libexec/auth/login_krb5* to /usr/libexec/auth. You'll need to do this or the login process won't be able to find them.

Finally, an optional step is to add /usr/local/heimdal/bin to your system path. This will allow you to use the Kerberos tools to test your configuration. If you choose not to do this, you'll need to refer to the full path of each of these executables (e.g. /usr/local/heimdal/bin/ktutil)

Once you've done all of that (or at least the first two steps), here's what you do (adapted from this article):

  1. Create a new user account in your AD domain - do not create a computer account as it won't work. Give it any password (it'll change later) and disable password expiry and password changing.

  2. Create your keytab and set a random password (where myhost is the user you created, myhost.fqdn is the name of your server and EXAMPLE.COM is your domain):

    C:\> ktpass -out c:\temp\myhost.keytab -princhost/myhost.fqdn@EXAMPLE.COM -mapuser myhost -pType KRB5_NT_PRINCIPAL +rndpass

  3. Securely copy the myhost.keytab file to your server and delete the local copy.

  4. Copy the keytab to /etc/heimdal:

    # ktutil copy /path/to/myhost.keytab /etc/heimdal/krb5.keytab

  5. Configure the configuration file at /etc/heimdal/krb5.conf with the below - which is the bare minimum that you will need.

    [libdefaults] clockskew = 300 default_realm = EXAMPLE.COM

    [realms] EXAMPLE.COM = { default_domain = EXAMPLE.COM }

    [domain_realm] .EXAMPLE.COM = EXAMPLE.COM

  6. Verify that you can get a ticket:

    # kinit Administrator@EXAMPLE.COM Administrator@EXAMPLE.COM's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@EXAMPLE.COM

    Issued Expires Principal Jun 4 21:41:05 Jun 5 07:40:28 krbtgt/EXAMPLE.COM@EXAMPLE.COM

  7. In /etc/login.conf, replace the line below:

    :tc=auth-defaults:\

    With the following line:

    :auth=krb5-or-pwd:\

    This will tell the system to use Kerberos for all users other than root. If login fails, it falls back to local passwords.

  8. Create any users you wish to authenticate with Kerberos. This must be done if you wish to use Kerberos - there is no automatic process. Doesn't matter what password you give them, as it will check Kerberos first.

  9. Test your logins via SSH. Be delighted that they work.

Let me know if you get stuck.

Community
  • 1
Aaron Mason
  • 703
  • 6
  • 19