This is driving me batty. I'm trying to setup an AD integrated Ubuntu 16.04 server to accept Kerberos tickets when logging in via SSH. I have a CentOS 7 server that accepts tickets without a problem after being joined to the AD domain, but I haven't gotten the config quite right on the Ubuntu server.
Here's the setup:
- Windows 2012 AD Domain (realdomain.tld)
- Fedora 25 Workstation (wksf25.realdomain.tld)
- CentOS 7 Server (sc7.realdomain.tld)
- Ubuntu 16.04 Server (su16.realdomain.tld)
Everything was joined to AD via realm, and that works without problems. Everything also gets Kerberos tickets on login or via kinit just fine. SSHing from wksf25 to sc7 works just fine, and I'm able to login via SSH using the kerberos ticket I obtain on login to wkfs25.
Here is the setup steps for Ubuntu:
Install the packages:
apt install realmd oddjob oddjob-mkhomedir sssd sssd-tools adcli samba-common krb5-user chrony packagekit libpam-krb5
- Edit
chrony.conf
to use the AD DCs. Setup realmd.conf:
vim /etc/realmd.conf
[users] default-home = /home/%D/%U [realdomain.tld] fully-qualified-names = no manage-system = no automatic-id-mapping = yes
Join the domain:
realm join -vU domainuser realdomain.tld
- Allow logins:
realm permit -R realdomain.tld -g linuxadmins
Ubuntu specific - Setup pam to create homedir on login: `vim /etc/pam.d/common-session'
session optional pam_mkhomedir.so umask=0077
Ubuntu specific - Enable GSSAPI authentication in OpenSSH:
vim /etc/ssh/sshd_config
GSSAPIAuthentiction yes GSSAPICleanupCredentials no
Login with domain account and make sure everything is working. Everything works at this point minus passwordless SSH logins via Kerberos tickets on the Ubuntu server.
Here is what I get from realm list
:
realdomain.tld
type: kerberos
realm-name: REALDOMAIN.TLD
domain-name: realdomain.tld
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: linuxusers
sssd.conf:
[sssd]
domains = realdomain.tld
config_file_version = 2
services = nss, pam
[domain/realdomain.tld]
ad_domain = realdomain.tld
krb5_realm = REALDOAMIN.TLD
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_groups = linuxusers
krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = REALDOMAIN.TLD
[realms]
REALDOMAIN.TLD = {
}
[domain_realm]
realdomain.org = REALDOMAIN.TLD
.realdomain.org = REALDOMAIN.TLD
What am I missing?