Ubuntu SSH passwordless login using kerberos

Question

This is driving me batty. I'm trying to setup an AD integrated Ubuntu 16.04 server to accept Kerberos tickets when logging in via SSH. I have a CentOS 7 server that accepts tickets without a problem after being joined to the AD domain, but I haven't gotten the config quite right on the Ubuntu server.

Here's the setup:

Windows 2012 AD Domain (realdomain.tld)
Fedora 25 Workstation (wksf25.realdomain.tld)
CentOS 7 Server (sc7.realdomain.tld)
Ubuntu 16.04 Server (su16.realdomain.tld)

Everything was joined to AD via realm, and that works without problems. Everything also gets Kerberos tickets on login or via kinit just fine. SSHing from wksf25 to sc7 works just fine, and I'm able to login via SSH using the kerberos ticket I obtain on login to wkfs25.

Here is the setup steps for Ubuntu:

Install the packages:

apt install realmd oddjob oddjob-mkhomedir sssd sssd-tools adcli samba-common krb5-user chrony packagekit libpam-krb5

Edit chrony.conf to use the AD DCs.

Setup realmd.conf: vim /etc/realmd.conf

[users]
default-home = /home/%D/%U

[realdomain.tld]
fully-qualified-names = no
manage-system = no
automatic-id-mapping = yes

Join the domain: realm join -vU domainuser realdomain.tld
Allow logins: realm permit -R realdomain.tld -g linuxadmins
Ubuntu specific - Setup pam to create homedir on login: `vim /etc/pam.d/common-session'
```
session optional        pam_mkhomedir.so umask=0077
```
Ubuntu specific - Enable GSSAPI authentication in OpenSSH: vim /etc/ssh/sshd_config
```
GSSAPIAuthentiction yes
GSSAPICleanupCredentials no
```
Login with domain account and make sure everything is working. Everything works at this point minus passwordless SSH logins via Kerberos tickets on the Ubuntu server.

Here is what I get from realm list:

realdomain.tld
  type: kerberos
  realm-name: REALDOMAIN.TLD
  domain-name: realdomain.tld
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins: 
  permitted-groups: linuxusers

sssd.conf:

[sssd]
domains = realdomain.tld
config_file_version = 2
services = nss, pam

[domain/realdomain.tld]
ad_domain = realdomain.tld
krb5_realm = REALDOAMIN.TLD
realmd_tags = joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_groups = linuxusers

krb5.conf:

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}

    default_realm = REALDOMAIN.TLD

[realms]
    REALDOMAIN.TLD = {
    }

[domain_realm]
    realdomain.org = REALDOMAIN.TLD
    .realdomain.org = REALDOMAIN.TLD

What am I missing?

Nope. The problem is the same problem. debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database — quinnr, Feb 01 '17 at 22:45
bump your debug level in [domain/realdomain.tld] `debug_level = 6` — Jacob Evans, Feb 01 '17 at 22:53
also, can you kinit on Ubuntu, be sure to UPPERCASE your realm — Jacob Evans, Feb 01 '17 at 22:54
@JacobEvans Yep, kninit works like a charm. It's part of my testing procedures that I didn't post. Let me see if upping the debug level shows anything. — quinnr, Feb 02 '17 at 00:17
if kinit works but login doesn't it's likely pam/sssd so bump those logs and take a look — Jacob Evans, Feb 02 '17 at 00:19

score 2 · Accepted Answer · answered Feb 03 '17 at 16:29

Fixed. realm join -vU domainuser --membership-software=samba --client-software=sssd realdomain.tld to join the AD domain on Ubuntu rather then letting realm use the defaults.

There was one little difference in the SSSD configs that I didn't think was pertinent, but it turned out it was.

Ubuntu: realmd_tags = joined-with-adcli

CentOS: realmd_tags = joined-with-samba

To get a different perspective on the problem, I spun up an OpenSUSE VM and started researching how SUSE does their AD integration. While I was figuring out how SUSE does things, I ran across a post which suggests Samba should be used to join Windows Server 2012+ AD instead of adcli.1 Add that to the difference in the configs above, and that was a clue to what was going on.

Leaving the domain and rejoining with the updated realm command fixed the issue, and everything has been stable for the last day.

I don't have an exact root cause as to the differences between the two methods, but that's going to require more research and is a fight for another day.

Thanks for this post. I'm having a similar problem on Ubuntu 16.04. Tried CentOS 7 based on your answer, and I had success. However, using `--membership-software=samba` on Ubuntu did not solve it for me. Furthermore, using `--membership-software=adcli` still works on CentOS! The true difference continues to elude me... — Patrick, Jul 14 '17 at 16:28
No real progress, but I did notice that on Ubuntu, `adcli` (and Samba's `net` command) link to both MIT Kerberos *and* Heimdal Kerberos, which I find strange. On CentOS, only MIT Kerberos is present. — Patrick, Jul 21 '17 at 04:56

claytond · Answer 2 · 2017-04-14T20:12:38.600

0

We had a similar situation crop up coincident with adding an SSL certificate to support LDAPS (although I never reverted that change to determine if it was causal). I'm not sure if there's any reason to prefer adcli, but I found two options fixed realm join while still using adcli (on Ubuntu 14.04 and 16.04):

Solution 1 (Ubuntu 16.04 or 14.04)

Add two settings to our krb5.conf (neither alone helped):

[libdefaults]
    ...
    canonicalize = true
    rdns = false

Solution 2 (Ubuntu 14.04 only)

I subsequently stumbled upon this git issue that suggested another option that (alone) is also working for us on 14.04:

[libdefaults]
    ...
    dns_canonicalize_hostname = false

FWIW

We actually have full control over our DNS and were unable to find any issues in our existing records -- or any changes that eliminated the need for these.

edited Apr 14 '17 at 20:12

answered Apr 14 '17 at 17:08

claytond

371
1
3
6

Does setting the host name in `/etc/hosts` change anything? `127.0.0.1 server1.domain.tld server1 localhost` Ubuntu sets `127.0.1.1` to the hostname, but this seems to get ignored more often then not. – quinnr Apr 19 '17 at 17:34
Had no effect for me. In my case, `kinit` worked fine, but the `realm join` (with adcli) reported `KDC reply did not match expectations`. Your suggestion (as well as the flags mentioned) resolved the `realm join` issue. I had to put the GSSAPI issue on the back burner since it was taking too long to resolve. – claytond Apr 20 '17 at 19:33

Ubuntu SSH passwordless login using kerberos

2 Answers2