Samba 4 AD and SSH Single Sign On with Kerberos Authentication

External Documents

HowTo

This simple howto will take through the steps necessary to configure a Linux box A running an sshd server to authenticate ssh clients B using Kerberos.

The scenario includes a 3rd Linux server C acting as Samba4 AD Domain Controller and thus as Key Distribution Centre and Ticket Granting Server.

Assumptions

  • we have a configured Linux based Samba4 server and AD Domain Controller, our Linux box C
  • we have a Windows (7/XP/Vista) client B joined to the AD domain
  • the Windows client B has Active Directory Administration Tools installed
  • the Windows client B has putty (Windows ssh client) installed

Requirements

  • Linux box A acts as an sshd server and accepts users authenticated to the AD domain
  • We want to begin an ssh session from B to A (and also from C to A) using kerberos authentication (and thus without entering further credentials that is userid and password)

Step 1

If the client has samba4 installed configure /etc/smb.conf and krb5.conf first to point to the domain controller and then run:

net ads join ezplanet.org -UAdministrator

Otherwise with just kerberos 5 client installed create the client host in Active Directories using the Windows Active Directories Users and Computers tool then on the Samba4 AD Domain Controller edit:

New method:

Create the host under "Computers" using Users and Computers AD tool under Windows 7/10

samba-tool spn add host/myhost.ezplanet.org myhost$

Old Method

# ldbedit -H /var/lib/samba/private/sam.ldb cn=myhost

and add the following:

dNSHostName: MYHOST.ezplanet.org
operatingSystem: Linux
operatingSystemServicePack: CentOS
operatingSystemVersion: 6.4
userPrincipalName: myhost@EZPLANET.ORG
servicePrincipalName: HOST/MYHOST.ezplanet.org
servicePrincipalName: RestrictedKrbHost/MYHOST.ezplanet.org
servicePrincipalName: HOST/MYHOST
servicePrincipalName: RestrictedKrbHost/MYHOST
servicePrincipalName: host/myhost.ezplanet.org@EZPLANET.ORG
servicePrincipalName: host/myhost@EZPLANET.ORG
servicePrincipalName: host/myhost.ezplanet.org
servicePrincipalName: host/myhost

Create Keytab:

# samba-tool domain exportkeytab myhost.keytab --principal=host/MYHOST.ezplanet.org
# samba-tool domain exportkeytab myhost.keytab --principal=host/myhost.ezplanet.org
# samba-tool domain exportkeytab myhost.keytab --principal=host/MYHOST
# samba-tool domain exportkeytab myhost.keytab --principal=host/myhost

# klist -ke /etc/myhost.keytab Keytab name: FILE:myhost.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/myhost.ezplanet.org@EZPLANET.ORG (des-cbc-crc) 1 host/myhost.ezplanet.org@EZPLANET.ORG (des-cbc-md5) 1 host/myhost.ezplanet.org@EZPLANET.ORG (arcfour-hmac) 1 host/myhost@EZPLANET.ORG (des-cbc-crc) 1 host/myhost@EZPLANET.ORG (des-cbc-md5) 1 host/myhost@EZPLANET.ORG (arcfour-hmac) 1 host/MYHOST.ezplanet.org@EZPLANET.ORG (des-cbc-crc) 1 host/MYHOST.ezplanet.org@EZPLANET.ORG (des-cbc-md5) 1 host/MYHOST.ezplanet.org@EZPLANET.ORG (arcfour-hmac) 1 host/MYHOST@EZPLANET.ORG (des-cbc-crc) 1 host/MYHOST@EZPLANET.ORG (des-cbc-md5) 1 host/MYHOST@EZPLANET.ORG (arcfour-hmac)

copy myhost.keytab to /etc/krb5.keytab on myhost

Configure sshd for GSSAPI authentication

Enable Kerberos PAM Authentication

# yum install -y pam_krb5
# authconfig --enablekrb5 --update

Add Service Principal

# samba-tool user create --random-password http-servername
# samba-tool spn add HTTP/servername.domainname@YOUR_REALM_NAME.TLD http-servername
# samba-tool domain exportkeytab /root/httpd.keytab --principal=HTTP/servername.domainname@YOUR_REALM_NAME.TLD

Putty

Putty Configuration

Articles and HowTo's on the same subject

The following is tested as in the article but not working however still interesting:

To join a CentOS 6.4 box to an AD domain using samba