login about faq

How do I set up GSSAPI authentication with Active Directory as Key Distribution Center (KDC)?

asked Dec 22 '10 at 17:03

SSH%20KB's gravatar image


Windows environment

Windows NT4 supports NTLM while Windows 2000 and Windows 2003 also provide native support for Kerberos. In a Windows environment, all you need to do is to join workstations to a domain and then create domain accounts for the users. When you later log in to the Windows workstation using the domain account, you receive a ticket that Tectia Client can use with the NTLM or Kerberos methods of GSSAPI authentication to authenticate to an SSH Tectia Server (Windows) that is also part of the domain.

Heterogeneous environment

On Unix, Tectia Server and Tectia Client support the Kerberos method of GSSAPI authentication. You need to install the MIT Kerberos implementation on Unix hosts and configure it to use Active Directory as a KDC. You also need use the Active Directory service management tool to create user accounts for the Unix server hosts. After that you need to generate the security principals and keytab files with the ktpass tool. You can find more details at: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp Note: The example setup presented here does not include configuring nsswitch.conf to use LDAP for fetching the authorization data from Active Directory. Because of this, the user has to have a user account on the server. The authorization data that includes the user ID, group ID, home directory, and user's shell is read from /etc/passwd.

Creating the user account for Unix Server host to AD

Use the Active Directory Management tool to create a new user account for the Unix host: 1. Select the Users folder, right-click and select New, then choose the user. 2. Type the FQDN name of the Unix host.

Creating the security principal and keytab file

Use Ktpass to create the keytab file and set up the account for the Unix host, and then copy the keytab file to the Unix system and merge the keytab file into /etc/krb5.keytab. To do this, use the following command to generate the Unix host keytab file, map the principal to the account, and set the host principal password:
C:> ktpass -princ host/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out UNIXmachine.keytab 
In the command: - hostname is the host DNS name, for example, foobar.example.com. - NT-DNS-REALM-NAME is the uppercase name of the Windows domain; for example, EXAMPLE.COM. - account is the name of the account for the computer. - password is a complex password for the account. - UNIXmachine.keytab is the name of the keytab file.

Configuring /etc/krb5.conf to use AD as a KDC

Edit the file (/etc/krb5.conf) to refer to the Windows domain controller as the Kerberos KDC. The krb5.conf file entries should be similar to the following:
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes =  des-cbc-crc
 default_tgs_enctypes =  des-cbc-crc
 default_etypes = des-cbc-crc
 default_etypes_des = des-cbc-crc

  kdc = finland.example.com:88
  admin_server = finland.example.com:749
  default_domain = EXAMPLE.COM

 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
You should now test your configuration with kinit and see if you receive a ticket granting ticket from the KDC:
$kinit testuser
Password for testuser@EXAMPLE.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_21110
Default principal: testuser@EXAMPLE.COM

Valid starting     Expires            Service principal
11/26/04 12:06:27  11/26/04 22:06:28  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/27/04 12:06:27

Kerberos 4 ticket cache: /tmp/tkt21110
klist: You have no tickets cached

Installing keytab entry

Securely transfer the keytab file (UNIXmachine.keytab from the example above) to the Unix server host. Then, merge the keytab file with any existing keytab file for the Unix computer. The Unix commands to merge the keytab file are:
% ktutil
ktutil: rkt UNIXmachine.keytab
ktutil: list
The output should appear similar to the following:
slot KVNO Principal
---- ---- ---------
   1    1 host/foobar.example.com@EXAMPLE.COM

ktutil: wkt /etc/krb5.keytab
ktutil: q


First start Tectia Server with debug enabled to some other port than 22:
#/usr/local/sbin/sshd2 -o"AllowedAuthentications=gssapi" -D4 -p 54321
On a Unix client:
$ kinit testuser
$ ssh2 -o"AllowedAuthentications=gssapi" testuser@testserver.example.com -d 4 -p 54321

answered Dec 22 '10 at 17:08

Alan%20-%20Tectia%20Support's gravatar image

Alan - Tectia Support

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Dec 22 '10 at 17:03

Seen: 13,975 times

Last updated: Mar 02 '11 at 19:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.