Kerberos and LDAP login

Question

I want to manually login to a ldap-server. For authentication Kerberos is used. I am registered there with username and pw.

kinit username@servername

It works fine and a valid TGT is created which I can view using

klist

But how to proceed after. How can I use the TGT in order to connect to the ldap-server?

I've read, that a keytab-file is required here. But I have no krb5.keytab-file generated at /etc/.

The ldap server needs a keytab. The client needs (access to) a credential cache. — 84104, Apr 20 '16 at 17:25

score 1 · Answer 1 · answered Apr 20 '16 at 17:05

as always, 'it depends'. I assume you are using some kind of linux.

For one-off authentication, provided your ldap client supports GSSAPI, you can use the GSSAPI mechanism. So once you kinit successfuly and you have a tgt ticket, then you can use something like this (using the publicly available freeipa demo (http://www.freeipa.org/page/Demo):

$ kinit admin@DEMO1.FREEIPA.ORG
$ kinit admin@DEMO1.FREEIPA.ORG
Password for admin@DEMO1.FREEIPA.ORG: 
$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin@DEMO1.FREEIPA.ORG

Valid starting       Expires              Service principal
04/20/2016 18:30:56  04/21/2016 18:30:51  krbtgt/DEMO1.FREEIPA.ORG@DEMO1.FREEIPA.ORG
    renew until 04/27/2016 18:30:51
]$ ldapsearch -LLL -Y GSSAPI -h ipa.demo1.freeipa.org -b cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org "(nsaccountlock=TRUE)" uid nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin@DEMO1.FREEIPA.ORG
SASL SSF: 56
SASL data security layer installed.
[@lap0405 ~]$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin@DEMO1.FREEIPA.ORG

Valid starting       Expires              Service principal
04/20/2016 18:31:09  04/21/2016 18:30:51  ldap/ipa.demo1.freeipa.org@DEMO1.FREEIPA.ORG
    renew until 04/27/2016 18:30:51
04/20/2016 18:31:09  04/21/2016 18:30:51  ldap/ipa.demo1.freeipa.org@
    renew until 04/27/2016 18:30:51
04/20/2016 18:30:56  04/21/2016 18:30:51  krbtgt/DEMO1.FREEIPA.ORG@DEMO1.FREEIPA.ORG
    renew until 04/27/2016 18:30:51

As you see I could bind using the kerberos ticket, got no results because there are no locked accounts there. But it succeeded.

Using keybabs is not much more complicated, but you need to retrieve one first (or have one retrieved for you). The method for doing that varies per kerberos vendor (for AD kerberos usually you get it using ktpass.exe, on linux talking to AD kerberos you could use msktutil (https://fuhm.net/software/msktutil/) which is not standard software delivered by all distributions, but works really well, for linux hosts on a freeipa kerberos domain you can use ipa-getkeytab (http://www.freeipa.org/page/V4/Keytab_Retrieval), on standard MIT kerberos you could use ktutil (http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html).

Once you have the keytab, you need to use it with kinit -k -t /path/to/keytab_file -c /path/to/kerberos/cache youruser@YOUR.REALM

After that you can use the KRB5CCNAME environment variable, you need to point it to the path where you saved the keytab cache with the -c switch, in your script to authenticate to the ldap server. Obviously, the ticket will expire after a couple of hours, so you need to renew it using cron or k5start.

You do not want to use the /etc/krb5.keytab file; that is the host file (computers are users as well when joined to a kerberos realm). You will want to have an application/user keytab specific for your needs.

Just wanted to add that the standard ktutil works just fine for creating a keytab file from an existing AD account provided you know the current password, KVNO, and encryption options you want to use. — Ryan Bolger, Apr 20 '16 at 17:13

Kerberos and LDAP login

1 Answers1