Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ssh_with_kerberos_authentication_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== SSH with Kerberos Authentication ======
  
 +Hello guys, Here I'll explain how to configure ssh with Kerberos authentication,​ here we'll use AD as our Kerberos database.
 +
 +Prepare your system with the follow script file [[http://​wiki.douglasqsantos.com.br/​doku.php/​confinicialjessie_en]]
 +
 +We need to update our repositories.
 +<sxh bash>
 +apt-get update ​
 +</​sxh>​
 +
 +We need to change some environment variables for don't as us about configuration files, because we'll change it after installation.
 +<sxh bash>
 +export DEBIAN_PRIORITY=critical
 +export DEBIAN_FRONTEND=noninteractive
 +</​sxh>​
 +
 +Let's install our dependences as requested for our configuration
 +<sxh bash>
 +apt-get install samba samba-common smbclient winbind krb5-config libpam-krb5 \
 +libnss-winbind krb5-user libsasl2-modules-gssapi-mit ssh-krb5 -y
 +</​sxh>​
 +
 +Let's back our environment variables to default
 +<sxh bash>
 +unset DEBIAN_PRIORITY
 +unset DEBIAN_FRONTEND
 +</​sxh>​
 +
 +Now we need to set up the dns server like that, please change this configuration for your domain and ip address.
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +search douglasqsantos.com.br
 +domain douglasqsantos.com.br
 +nameserver 192.168.1.250
 +</​sxh>​
 +
 +We need to update our date and time with our pdc because kerberos doesn'​t accept difference between client and server.
 +<sxh bash>
 +ntpdate -u 192.168.1.250
 +</​sxh>​
 +
 +Now let's backup our kerberos client file before we change it.
 +<sxh bash>
 +cp -Rfa /​etc/​krb5.conf{,​.bkp}
 +</​sxh>​
 +
 +Let's set up our configuration for kerberos client like that
 +<sxh bash>
 +vim /​etc/​krb5.conf
 +[libdefaults]
 +       ​default_realm = DOUGLASQSANTOS.COM.BR
 +       ​krb4_config = /​etc/​krb.conf
 +       ​krb4_realms = /​etc/​krb.realms
 +       ​kdc_timesync = 1
 +       ​ccache_type = 4
 +       ​forwardable = true
 +       ​proxiable = true
 +       ​v4_instance_resolve = false
 +       ​fcc-mit-ticketflags = true
 +       ​default_keytab_name = FILE:/​etc/​krb5.keytab
 +v4_name_convert = {
 +      host = {
 +        rcmd = host
 +        ftp = ftp
 +      }
 +      plain = {
 +        something = something-else
 +      }
 +}
 +      fcc-mit-ticketflags = true
 +[realms]
 +DOUGLASQSANTOS.COM.BR = {
 +      kdc = 192.168.1.250
 +      admin_server = 192.168.1.250:​749
 +      default_server = 192.168.1.250
 +}
 +[domain_realm]
 +      .douglasqsantos.com.br = DOUGLASQSANTOS.COM.BR
 +      douglasqsantos.com.br ​ = DOUGLASQSANTOS.COM.BR
 +[login]
 +      krb4_convert = true
 +      krb4_get_tickets = false
 +[kdc]
 +      profile = /​etc/​krb5kdc/​kdc.conf
 +[appdefaults]
 +pam = {
 +      realm = douglasqsantos.com.br
 +      ticket_lifetime = 1d
 +      renew_lifetime = 1d
 +      forwardable = true
 +      proxiable = false
 +      retain_after_close = false
 +      minimum_uid = 1000
 +      try_first_pass = true
 +      ignore_root = true
 +      debug = false
 +}
 +[logging]
 +      default = file:/​var/​log/​krb5libs.log
 +      kdc = file:/​var/​log/​krb5kdc.log
 +      admin_server = file:/​var/​log/​kadmind.log
 +</​sxh>​
 +
 +We need to change our system limits to samba to prevent we get some warnings about it.
 +<sxh bash>
 +vim /​etc/​security/​limits.conf
 +[...]
 +root hard nofile 131072
 +root soft nofile 65536
 +mioutente hard nofile 32768
 +mioutente soft nofile 16384
 +</​sxh>​
 +
 +Now let's backup our samba configuration file.
 +<sxh bash>
 +cp -Rfa /​etc/​samba/​smb.conf{,​.bkp}
 +</​sxh>​
 +
 +Let's set up our samba configuration file like that.
 +<sxh bash>
 +vim /​etc/​samba/​smb.conf
 +[global]
 +      workgroup = DOUGLASQSANTOS
 +      realm = douglasqsantos.com.br
 +      netbios name = CLIENT01
 +      server string = CLIENT01
 +      security = ADS
 +      auth methods = winbind
 +      kerberos method = secrets and keytab
 +      winbind refresh tickets = yes
 +      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 +      load printers = No
 +      printing = bsd
 +      printcap name = /dev/null
 +      disable spoolss = Yes
 +      local master = No
 +      domain master = No
 +      winbind cache time = 15
 +      winbind enum users = Yes
 +      winbind enum groups = Yes
 +      winbind use default domain = Yes
 +      idmap config * : range = 10000-15000
 +      idmap config * : backend = tdb
 +      template shell = /bin/bash
 +      template homedir = /home/%U
 +</​sxh>​
 +
 +
 +Now let's backup our nsswitch.conf file that control where we'll seek our users and groups.
 +<sxh bash>
 +cp /​etc/​nsswitch.conf{,​.bkp}
 +</​sxh>​
 +
 +Let's set up our configuration file like that
 +<sxh bash>
 +vim /​etc/​nsswitch.conf
 +passwd: ​        ​compat winbind
 +group: ​         compat winbind
 +shadow: ​        ​compat
 +
 +hosts: ​         files dns
 +networks: ​      files
 +
 +protocols: ​     db files
 +services: ​      db files
 +ethers: ​        db files
 +rpc:            db files
 +
 +netgroup: ​      nis
 +</​sxh>​
 +
 +Let's backup our PAM files, because if we change something and we make some mistake we can get big problems as can't logon in our system again.
 +Agora vamos fazer um backup dos arquivos da pam.d
 +<sxh bash>
 +cp -Rfa /​etc/​pam.d{,​.bkp}
 +</​sxh>​
 +
 +Let's set up our common-account file that control our user accounts, here we'll seek first on local base /etc/passwd after that we'll seek on winbind.
 +<sxh bash>
 +vim /​etc/​pam.d/​common-account
 +#/​etc/​pam.d/​common-account
 +account ​        ​[success=2 new_authtok_reqd=done default=ignore] ​  ​pam_unix.so ​
 +account ​        ​[success=1 new_authtok_reqd=done default=ignore] ​  ​pam_winbind.so ​
 +account ​        ​requisite ​                                         pam_deny.so
 +account ​        ​required ​                                          ​pam_permit.so
 +account ​        ​required ​                                          ​pam_krb5.so minimum_uid=1000
 +</​sxh>​
 +
 +Let's set up our common-auth file that control our authentication,​ here we'll seek first on kerberos database to prevent need to put two times our password as happen when we use other
 +authentication way first.
 +<sxh bash>
 +vim /​etc/​pam.d/​common-auth
 +#/​etc/​pam.d/​common-auth
 +auth             ​[success=3 default=ignore] ​           pam_krb5.so minimum_uid=1000
 +auth             ​[success=2 default=ignore] ​           pam_unix.so nullok_secure try_first_pass
 +auth             ​[success=1 default=ignore] ​           pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
 +auth             ​requisite ​                            ​pam_deny.so
 +auth             ​required ​                             pam_permit.so
 +</​sxh>​
 +
 +Let's set up our common-password file that control our passwords, first let's seek on local base /​etc/​password and otherwise we can't change our local passwords.
 +<sxh bash>
 +vim /​etc/​pam.d/​common-password
 +#/​etc/​pam.d/​common-password
 +password ​        ​sufficient ​                           pam_unix.so obscure sha512
 +password ​        ​[success=2 default=ignore] ​           pam_krb5.so minimum_uid=1000
 +password ​        ​[success=1 default=ignore] ​           pam_winbind.so use_authtok try_first_pass
 +password ​        ​requisite ​                            ​pam_deny.so
 +password ​        ​required ​                             pam_permit.so
 +</​sxh>​
 +
 +Let's set up our common-session file that control our user sessions and let's set up when a new user establish a session ​ with the system will be create your home directory.
 +<sxh bash>
 +vim /​etc/​pam.d/​common-session
 +#/​etc/​pam.d/​common-session
 +session ​        ​[default=1] ​                           pam_permit.so
 +session ​        ​requisite ​                             pam_deny.so
 +session ​        ​required ​                              ​pam_permit.so
 +session ​        ​required ​                              ​pam_unix.so
 +session ​        ​optional ​                              ​pam_krb5.so minimum_uid=1000
 +session ​        ​optional ​                              ​pam_winbind.so
 +session ​        ​optional ​                              ​pam_mkhomedir.so skel=/​etc/​skel umask=077
 +</​sxh>​
 +
 +Let's set up our ssh configuration file, and we need to enable only root user and users belongs to sudo group can establish a ssh session with the system.
 +<sxh bash>
 +vim /​etc/​pam.d/​sshd
 +#/​etc/​pam.d/​sshd
 +auth           ​required ​                              ​pam_env.so # [1]
 +auth           ​required ​                              ​pam_env.so envfile=/​etc/​default/​locale
 +@include ​      ​common-auth
 +account ​       required ​                              ​pam_nologin.so
 +account ​       sufficient ​                            ​pam_succeed_if.so user ingroup root
 +account ​       requisite ​                             pam_succeed_if.so user ingroup sudo
 +@include ​      ​common-account
 +@include ​      ​common-session
 +session ​       optional ​                              ​pam_motd.so ​ motd=/​run/​motd.dynamic noupdate
 +session ​       optional ​                              ​pam_motd.so # [1]
 +session ​       optional ​                              ​pam_mail.so standard noenv # [1]
 +session ​       required ​                              ​pam_limits.so
 +@include ​      ​common-password
 +</​sxh>​
 +
 +Let's set up our ssh configuration file, and we need to enable only root user and users belongs to sudo group can establish a local session with the system.
 +<sxh bash>
 +vim /​etc/​pam.d/​login
 +#/​etc/​pam.d/​login
 +auth          optional ​                               pam_faildelay.so ​ delay=3000000
 +auth          [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 +auth          requisite ​                              ​pam_nologin.so
 +account ​      ​sufficient ​                             pam_succeed_if.so user ingroup root
 +account ​      ​requisite ​                              ​pam_succeed_if.so user ingroup sudo
 +session ​      ​[success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 +session ​      ​required ​                               pam_env.so readenv=1
 +session ​      ​required ​                               pam_env.so readenv=1 envfile=/​etc/​default/​locale
 +@include ​     common-au ​
 +auth          optional ​                               pam_group.so
 +session ​      ​required ​                               pam_limits.so
 +session ​      ​optional ​                               pam_lastlog.so
 +session ​      ​optional ​                               pam_motd.so ​ motd=/​run/​motd.dynamic
 +session ​      ​optional ​                               pam_motd.so
 +session ​      ​optional ​                               pam_mail.so standard
 +@include ​     common-account
 +@include ​     common-session
 +@include ​     common-password
 +session ​      ​[success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 +</​sxh>​
 +
 +Let's restart the samba and winbind services
 +<sxh bash>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +We need to create a new ticket to kerberos
 +<sxh bash>
 +kinit douglas
 +</​sxh>​
 +
 +Let's list our ticket
 +<sxh bash>
 +klist
 +Ticket cache: FILE:/​tmp/​krb5cc_0
 +Default principal: douglas@douglasqsantos.com.br
 +
 +Valid starting ​      ​Expires ​             Service principal
 +22-08-2014 12:​00:​46 ​ 22-08-2014 22:​00:​48 ​ krbtgt/​douglasqsantos.com.br@douglasqsantos.com.br
 +  renew until 23-08-2014 12:00:46
 +</​sxh>​
 +
 +Now we need to join our machine to domain like that.
 +<sxh bash>
 +net ads join createupn=host/​$(hostname).douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k
 +</​sxh>​
 +
 +if need to test with debug
 +<sxh bash>
 +net ads join createupn=host/​$(hostname).douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k --debuglevel=5
 +</​sxh>​
 +
 +Above a used the variable hostname to get the hostname for our machine on kerberos database and use the -S to put our PDC and the -k to use the current ticket to kerberos.
 +
 +
 +We need to change the permission to krb5.keytab file like this
 +<sxh bash>
 +chmod 664 /​etc/​krb5.keytab
 +</​sxh>​
 +
 +Let's restart samba and winbind services again to reload all configuration after the join.
 +<sxh bash>
 +/​etc/​init.d/​samba restart
 +/​etc/​init.d/​winbind restart
 +</​sxh>​
 +
 +As we join our machine on domain we can use the ad users to authenticate on Linux box, and we need to enable our user to use sudo like this.
 +<sxh bash>
 +gpasswd -a douglas sudo
 +</​sxh>​
 +
 +Now we need to configure the ssh server to use the kerberos configuration like this
 +<sxh apache>
 +vim /​etc/​ssh/​sshd_config ​
 +[...]
 +# Kerberos options
 +KerberosAuthentication yes
 +#​KerberosGetAFSToken no
 +KerberosOrLocalPasswd yes
 +KerberosTicketCleanup yes
 +
 +# GSSAPI options
 +GSSAPIAuthentication yes
 +GSSAPICleanupCredentials yes
 +
 +[...]
 +#Let's put the follow lines in the end the file
 +AllowGroups sudo
 +# GSSAPI key exchange (added by ssh-krb5 transitional package)
 +GSSAPIKeyExchange yes
 +#Disable dns resolution
 +UseDNS no
 +</​sxh>​
 +
 +Now we can configure our ssh client to use kerberos as well.
 +<sxh apache>
 +vim /​etc/​ssh/​ssh_config
 +[...]
 +#We need to put the follow line in the end of file like this
 +      SendEnv LANG LC_*
 +      HashKnownHosts yes
 +      StrictHostKeyChecking no
 +      GSSAPIAuthentication yes
 +      GSSAPIDelegateCredentials yes
 +</​sxh>​
 +
 +Let's restart the ssh service to reload the new changes.
 +<sxh bash>
 +/​etc/​init.d/​ssh restart
 +</​sxh>​
 +
 +Let's test our authentication
 +
 +Doing the login with a domain user like this, here I used the -p to set the port number as 22022
 +<sxh bash>
 +ssh douglas@172.31.0.93 -p 22022
 +Password: ​
 +Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +Last login: Fri Aug 22 11:31:28 2014 from 172.31.0.245
 +douglas@client01:​~$ ​
 +</​sxh>​
 +
 +Now we can list our tickets to user douglas that we've just made login.
 +<sxh bash>
 +klist 
 +Ticket cache: FILE:/​tmp/​krb5cc_10001_d8JcfN
 +Default principal: douglas@douglasqsantos.com.br
 +
 +Valid starting ​      ​Expires ​             Service principal
 +22-08-2014 12:​11:​40 ​ 22-08-2014 22:​11:​40 ​ krbtgt/​douglasqsantos.com.br@douglasqsantos.com.br
 +  renew until 23-08-2014 12:11:40
 +</​sxh>​
 +
 +As we can see here on the keytab has ticket to our machine
 +<sxh bash>
 +klist -ke
 +Keytab name: FILE:/​etc/​krb5.keytab
 +KVNO Principal
 +---- --------------------------------------------------------------------------
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac) ​
 +   2 host/​client01@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 host/​client01@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 host/​client01@douglasqsantos.com.br (arcfour-hmac) ​
 +   2 client01$@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 client01$@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 client01$@douglasqsantos.com.br (arcfour-hmac)
 +</​sxh>​
 +
 +As we can see our ticket is ok so far
 +
 +Now let's try our authentication using the kerberos ticket against local ssh server
 +<sxh bash>
 +ssh -k client01
 +Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +Last login: Fri Aug 22 12:11:40 2014 from 172.31.0.245
 +douglas@client01:​~$ ​
 +</​sxh>​
 +
 +We can see that we don't get any problems so far, if the system ask about password we can use the debug mode like that to see that is happening.
 +<sxh bash>
 +ssh -kv client01
 +OpenSSH_6.0p1 Debian-4+deb7u2,​ OpenSSL 1.0.1e 11 Feb 2013
 +debug1: Reading configuration data /​etc/​ssh/​ssh_config
 +debug1: /​etc/​ssh/​ssh_config line 19: Applying options for *
 +debug1: Connecting to client01 [172.31.0.93] port 22022.
 +debug1: Connection established.
 +debug1: identity file /​home/​douglas/​.ssh/​id_rsa type -1
 +debug1: identity file /​home/​douglas/​.ssh/​id_rsa-cert type -1
 +debug1: identity file /​home/​douglas/​.ssh/​id_dsa type -1
 +debug1: identity file /​home/​douglas/​.ssh/​id_dsa-cert type -1
 +debug1: identity file /​home/​douglas/​.ssh/​id_ecdsa type -1
 +debug1: identity file /​home/​douglas/​.ssh/​id_ecdsa-cert type -1
 +debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
 +debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
 +debug1: Enabling compatibility mode for protocol 2.0
 +debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
 +debug1: SSH2_MSG_KEXINIT sent
 +debug1: SSH2_MSG_KEXINIT received
 +debug1: kex: server->​client aes128-ctr hmac-md5 none
 +debug1: kex: client->​server aes128-ctr hmac-md5 none
 +debug1: sending SSH2_MSG_KEX_ECDH_INIT
 +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
 +debug1: Server host key: ECDSA 23:​77:​e5:​75:​6f:​9f:​30:​37:​5d:​ca:​66:​c4:​b0:​ce:​94:​82
 +debug1: Host '​[client01]:​22022'​ is known and matches the ECDSA host key.
 +debug1: Found key in /​home/​douglas/​.ssh/​known_hosts:​1
 +debug1: ssh_ecdsa_verify:​ signature correct
 +debug1: SSH2_MSG_NEWKEYS sent
 +debug1: expecting SSH2_MSG_NEWKEYS
 +debug1: SSH2_MSG_NEWKEYS received
 +debug1: Roaming not allowed by server
 +debug1: SSH2_MSG_SERVICE_REQUEST sent
 +debug1: SSH2_MSG_SERVICE_ACCEPT received
 +debug1: Authentications that can continue: publickey,​gssapi-keyex,​gssapi-with-mic,​password,​keyboard-interactive
 +debug1: Next authentication method: gssapi-keyex
 +debug1: No valid Key exchange context
 +debug1: Next authentication method: gssapi-with-mic
 +debug1: Authentication succeeded (gssapi-with-mic).
 +Authenticated to client01 ([172.31.0.93]:​22022).
 +debug1: channel 0: new [client-session]
 +debug1: Requesting no-more-sessions@openssh.com
 +debug1: Entering interactive session.
 +debug1: Sending environment.
 +debug1: Sending env LC_PAPER = pt_BR.UTF-8
 +debug1: Sending env LC_ADDRESS = pt_BR.UTF-8
 +debug1: Sending env LC_MONETARY = pt_BR.UTF-8
 +debug1: Sending env LC_NUMERIC = pt_BR.UTF-8
 +debug1: Sending env LC_TELEPHONE = pt_BR.UTF-8
 +debug1: Sending env LC_MESSAGES = pt_BR.UTF-8
 +debug1: Sending env LC_COLLATE = pt_BR.UTF-8
 +debug1: Sending env LC_IDENTIFICATION = pt_BR.UTF-8
 +debug1: Sending env LANG = pt_BR.UTF-8
 +debug1: Sending env LC_MEASUREMENT = pt_BR.UTF-8
 +debug1: Sending env LC_CTYPE = pt_BR.UTF-8
 +debug1: Sending env LC_TIME = pt_BR.UTF-8
 +debug1: Sending env LC_NAME = pt_BR.UTF-8
 +Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +Last login: Fri Aug 22 12:16:01 2014 from client01.douglasqsantos.com.br
 +douglas@client01:​~$ ​
 +</​sxh>​
 +
 +Now to get login in other machine using the kerberos need to add it in our local keytab, the follow command need to be executed as root.
 +
 +**Note:** The machine that we'll add need to be in our domain like the machine that we've just set up.
 +<sxh bash>
 +net ads keytab add host/​client02.douglasqsantos.com.br@douglasqsantos.com.br
 +</​sxh>​
 +
 +After add the new machine we can check it's the new record on keytab with the follow command.
 +<sxh bash>
 +klist -ke
 +Keytab name: FILE:/​etc/​krb5.keytab
 +KVNO Principal
 +---- --------------------------------------------------------------------------
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 host/​client01.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac) ​
 +   2 host/​client01@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 host/​client01@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 host/​client01@douglasqsantos.com.br (arcfour-hmac) ​
 +   2 client01$@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 client01$@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 client01$@douglasqsantos.com.br (arcfour-hmac) ​
 +   2 host/​client02.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) ​
 +   2 host/​client02.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) ​
 +   2 host/​client02.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac)
 +</​sxh>​
 +
 +We can see now more 3 lines in our file that refer to new host and we have the trust relation between them.
 +
 +Now let's login again with the domain user in our maquine and let's test the connection with the server.
 +
 +**Note:** As we've just added the new host is better do the logout and login again
 +<sxh bash>
 +ssh douglas@172.31.0.93 -p 22022
 +Password: ​
 +Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +Last login: Fri Aug 22 12:16:42 2014 from client01.douglasqsantos.com.br
 +douglas@client01:​~$
 +</​sxh>​
 +
 +Let's list our kerberos tickets
 +<sxh bash>
 +klist 
 +Ticket cache: FILE:/​tmp/​krb5cc_10001_VDoRbW
 +Default principal: douglas@douglasqsantos.com.br
 +
 +Valid starting ​      ​Expires ​             Service principal
 +22-08-2014 12:​21:​32 ​ 22-08-2014 22:​21:​32 ​ krbtgt/​douglasqsantos.com.br@douglasqsantos.com.br
 +  renew until 23-08-2014 12:21:32
 +</​sxh>​
 +
 +Now let's login on ssh in the host that we've just added.
 +<sxh bash>
 +ssh -k client02.douglasqsantos.com.br
 +Linux client02 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
 +
 +The programs included with the Debian GNU/Linux system are free software;
 +the exact distribution terms for each program are described in the
 +individual files in /​usr/​share/​doc/​*/​copyright.
 +
 +Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 +permitted by applicable law.
 +Last login: Fri Aug 22 10:51:52 2014 from 172.31.0.245
 +douglas@client02:​~$ ​
 +</​sxh>​
 +
 +We can see that the system doesn'​t request password because we're using the kerberos ticket.
 +
 +Let's check in auth log on the machine client02 to see that happened.
 +<sxh bash>
 +tail -f /​var/​log/​auth.log
 +[...]
 +Aug 22 12:23:34 client02 sshd[21997]:​ Authorized to douglas, krb5 principal douglas@douglasqsantos.com.br (krb5_kuserok)
 +Aug 22 12:23:34 client02 sshd[21997]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup root" not met by user "​douglas"​
 +Aug 22 12:23:34 client02 sshd[21997]:​ pam_succeed_if(sshd:​account):​ requirement "user ingroup sudo" was met by user "​douglas"​
 +Aug 22 12:23:34 client02 sshd[21997]:​ Accepted gssapi-with-mic for douglas from 172.31.0.93 port 60524 ssh2
 +Aug 22 12:23:34 client02 sshd[21997]:​ pam_unix(sshd:​session):​ session opened for user douglas by (uid=0)
 +</​sxh>​
 +
 +As we can see our authentication was authorized to krb5 with our ticket, to each new machine we need to add our clients on local keytab to create the trust relation.
 +
 +The sudo doesn'​t support kerberos so far, but we can enable the sudo to doesn'​t ask about the password if we're authenticated.
 +<sxh bash>
 +vim  /​etc/​sudoers
 +[...]
 +#Comment the line below.
 +#​%sudo ​ ALL=(ALL:​ALL) ALL
 +#Add the follow line
 +%sudo ALL = NOPASSWD: ALL
 +</​sxh>​
 +
 +Now we need to create a new directory to put our scripts
 +<sxh bash>
 +mkdir /​srv/​scripts
 +</​sxh>​
 +
 +To update our database we can use the follow script, we can also that need to create a user as kerberos with the follow password krb@134* to update the keytab.
 +<sxh bash>
 +vim /​srv/​scripts/​update-kerberos-database.sh
 +#!/bin/bash
 +
 +CAT="/​bin/​cat"​
 +CD="​cd"​
 +HOSTNAME=$(hostname -f)
 +WGET="/​usr/​bin/​wget"​
 +FILE="​http://​www.douglasqsantos.com.br/​Downloads/​hosts.txt"​
 +NET="/​usr/​bin/​net"​
 +RM="/​bin/​rm"​
 +USER="​kerberos"​
 +PASSWORD="​krb@134*"​
 +KINIT="/​usr/​bin/​kinit"​
 +KDESTROY="/​usr/​bin/​kdestroy"​
 +
 +${KDESTROY}
 +
 +${KINIT} ${USER} << EOF
 +${PASSWORD}
 +EOF
 +
 +${CD} /tmp
 +${WGET} -c ${FILE}
 +for END in $(${CAT} /​tmp/​hosts.txt | egrep -v ${HOSTNAME});​ do
 +${NET} ads keytab add ${END}
 +done
 +
 +${RM} -rf /​tmp/​hosts.txt
 +
 +${KDESTROY}
 +</​sxh>​
 +
 +Now we need to create the file with the server on the web server like this.
 +<sxh bash>
 +vim /​var/​www/​wiki/​Downloads/​hosts.txt
 +host/​bkp01.douglasqsantos.com.br@douglasqsantos.com.br
 +host/​dns01.douglasqsantos.com.br@douglasqsantos.com.br
 +host/​mtz01.douglasqsantos.com.br@douglasqsantos.com.br
 +host/​vpn01.douglasqsantos.com.br@douglasqsantos.com.br
 +host/​fw01.douglasqsantos.com.br@douglasqsantos.com.br
 +</​sxh>​
 +
 +I'm considering that the Document root to our web server is /​var/​www/​wiki and it'll see the follow url: http://​www.douglasqsantos.com.br/​Downloads/​hosts.txt
 +
 +Now let's set the permission to our script
 +<sxh bash>
 +chmod 755 /​srv/​scripts/​update-kerberos-database.sh
 +</​sxh>​
 +
 +**Note:** For each new nserver add on domain we need to update the hosts.txt that is on the follow url:​http://​www.douglasqsantos.com.br/​Downloads/​hosts.txt , to sort the file we can use on vim  **:sort u**
 +
 +Now we need to put this script on crontab like this
 +<sxh bash>
 +crontab -e
 +[...]
 +0 */8     ​* ​      ​* ​      ​* ​       /​srv/​scripts/​update-kerberos-database.sh
 +</​sxh>​
 +
 +We can test the script to check if we don't have any problem so far.
 +<sxh bash>
 +/​srv/​scripts/​update-kerberos-database.sh
 +</​sxh>​
 +
 +**Note:** To use the new keytab we need to use **kdestroy** and create a new ticket with the follow command **kinit**
 +====== Authentication problems ======
 +
 +  - Check the date and time between the server and the pdc because kerberos doesn'​t accept a more than 2 minutes of difference between them if we need to update the data use the follow command: ntpdate -u 192.168.1.250 if the pdc is using the ip 192.168.1.250
 +  - Check the connection between the server and the pdc with the follow command **wbinfo -t** with the follow command we need to get a **succeeded**
 +  - Check the packets that was installed and make sure that nothing is missing
 +  - Check the host of the keytab with the follow command **klist -ke** we only get the servers on local keytab
 +  - Check the configuration to **ssh_config** and **sshd_config**
 +  - Check the dns resolution because kerberos use the dns to get the pdc and kerberos kdc
 +  - If we need to remove the machine from domain we can use the follow command line **net ads leave -U usuario** after that check if the machine was removed from AD and join it again
 +  - When remove a machine from a domain it better remove the **/​etc/​krb5.keytab** because it'll be generated when put the machine again on domain
 +  - If was migrated the machine from other site or a backup don't forget to check the follow file **/​etc/​hosts** if it's with the right data.
 +
 +Leaving the machine from domain ​
 +<sxh bash>
 +net ads leave -U douglas
 +</​sxh>​
 +
 +Removing the keytab
 +<sxh bash>
 +rm -rf /​etc/​krb5.keytab ​
 +</​sxh>​
 +
 +Let's create a new ticket to our user douglas
 +<sxh bash>
 +kinit douglas
 +</​sxh>​
 +
 +Let's put the the machine on domain again
 +<sxh bash>
 +net ads join createupn=host/​client01.douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k
 +</​sxh>​
 +
 +Let's change the permission to keytab
 +<sxh bash>
 +chmod 664 /​etc/​krb5.keytab
 +</​sxh>​
 +
 +Let's restart the services winbind and samba as well.
 +<sxh bash>
 +/​etc/​init.d/​winbind restart
 +/​etc/​init.d/​samba restart
 +</​sxh>​
 +
 +Let's check the connection with our domain
 +<sxh bash>
 +wbinfo -t
 +checking the trust secret for domain DOUGLASQSANTOS via RPC calls succeeded
 +</​sxh>​
 +
 +Let's update our hosts to keytab
 +<sxh bash>
 +/​srv/​scripts/​update-kerberos-database.sh
 +</​sxh>​
 +
 +
 +====== References ======
 +  - http://​wiki.gentoo.org/​wiki/​Kerberos_Windows_Interoperability
 +  - http://​wiki.squid-cache.org/​ConfigExamples/​Authenticate/​Kerberos
 +  - http://​serverfault.com/​questions/​598499/​how-to-remotely-generate-windows-ad-kerberos-keytab-from-a-unix-machine
 +  - http://​sammoffatt.com.au/​jauthtools/​Kerberos/​Troubleshooting
 +  - http://​www.linuxquestions.org/​questions/​linux-server-73/​ssh-and-kerberos-in-rhel-823734/​
 +  - http://​www.outsidaz.org/​blog/​2009/​09/​01/​rhel5-integration-with-active-directory-with-kerberized-ssh/​
 +  - https://​lists.samba.org/​archive/​samba-technical/​2011-February/​076415.htmlÏ