Setting up LDAP and Kerberos Client Authentication on RHEL 7 (using nslcd)

We are going to configure a RHEL 7 system to authenticate against FreeIPA using LDAP/Kerberos.

Prerequisites

To get Kerberos running, NTP synchronisation and DNS resolution must be working.

We are going to use the FreeIPA server which we set up previously. Check this post for how to setup a FreeIPA server on RHEL 7.

Configure LDAP Authetication

We use a RHEL 7.0 server (instructions were also tested on a RHEL 7.2) with SELinux set to enforcing mode.

DNS is configured to point to the FreeIPA server:

# cat /etc/resolv.conf
search rhce.local
nameserver 10.8.8.70
# host 10.8.8.70
70.8.8.10.in-addr.arpa domain name pointer ipa.rhce.local.

Installation

# yum install -y nscd nss-pam-ldapd wget

Download the CA certificate from the IPA server to our local server:

# mkdir /etc/openldap/cacerts
# wget -P /etc/openldap/cacerts/ ftp://ipa.rhce.local/pub/cacert.p12

Configuration

These are the defaults, do not change anything:

# egrep -i "sssd|lega" /etc/sysconfig/authconfig
USESSSDAUTH=no
FORCELEGACY=no
USESSSD=yes

Ensure the nslcd service is enabled:

# systemctl enable nslcd

Run the authconfig in a text mode:

# authconfig-tui

In User Information, select Use LDAP, and under Authentication, select Use LDAP Authentication. In the LDAP Settings screen, select Use TLS and specify the following:

Server: ipa.rhce.local
Base DN: dc=rhce,dc=local

Open /etc/nslcd.conf and add the following line to allow self-signed certificates to be used:

tls_reqcert never

Restart the nslcd service:

# systemctl restart nslcd

Verify by logging in with a LDAP user:

# su - alice
su: warning: cannot change directory to /home/alice: No such file or directory
$ id
uid=1219400005(alice) gid=1219400005(alice) groups=1219400005(alice) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Configure Kerberos Authentication

Installation

# yum install -y pam_krb5 krb5-workstation

Configuration

I found erasing the file’s /etc/krb5.conf content helpful when configuring Kerberos authentication from scratch:

# > /etc/krb5.conf

Run the authconfig in a text mode:

# authconfig-tui

On the authentication Configuration screen, under Authentication, select Use Kerberos to enable Kerberos authorisation. In the LDAP Settings screen, do not change anything. In the Kerberos settings screen, specify the following:

Realm: RHCE.LOCAL
KDC: ipa.rhce.local
Admin Server: ipa.rhce.local

Obtain a Kerberos ticket for the Kerberos alice user:

# kinit alice

Verify the ticket:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting     Expires            Service principal
07/05/16 11:21:27  08/05/16 11:21:25  krbtgt/[email protected]

These are for references.

# cat /etc/krb5.conf
[libdefaults]
 default_realm = RHCE.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 RHCE.LOCAL = {
  kdc = ipa.rhce.local
  admin_server = ipa.rhce.local
 }

[domain_realm]
 rhce.local = RHCE.LOCAL
 .rhce.local = RHCE.LOCAL

Test Kerberos Configuration

# su - alice
su: warning: cannot change directory to /home/alice: No such file or directory
$ hostname
srv1.rhce.local
$ kinit
Password for [email protected]:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1219400005
Default principal: [email protected]

Valid starting     Expires            Service principal
07/05/16 11:25:26  08/05/16 11:25:23  krbtgt/[email protected]

We should be able to reconnect without giving any password:

$ ssh ipa.rhce.local
Could not create directory '/home/alice/.ssh'.
[...]
Could not chdir to home directory /home/alice: No such file or directory
$ hostname
ipa.rhce.local

21 thoughts on “Setting up LDAP and Kerberos Client Authentication on RHEL 7 (using nslcd)

  1. Good day @tomas , i have managed to make kerberos authentication work against FREEIPA and everything checks out very well except i have one other worry.

    using the yum pam_krb5 workstation-krb5 way ….my clients are able to authenticate nicely with no problems.the issue is the host principal is not automatically added under the hosts tab when you do the authconfig-tui, that is if i open the freeipa web access..

    Which leads me to think that ,in the RHCE exam there might be 2 ways to do it
    1) to add the host and nfs principals using the ktadd or
    2) the host and nfs principals already exists in the freeipa server so all one need is to configure your client to authenticate

    I am using freeipa 4.2

  2. Thanks for the nice post. I followed both of your article, this one and the previous about setting up freeipa . Everything worked fine as mentioned in the post. Only thing i find different is when i login with a ipa user and issue the “hostname” command it is showing “localhost.localdomain” not my ipa server’s name.
    Any idea why?

    • I have created a user ‘rumi’. On the server , as user ‘rumi when issue ‘hostname’ command, i see ipa.example.com, but on the client as user rumi i use hostname command i see localhost.localdomain.

    • Nope, i have not touched the hostname on the client. Only edited the /etc/hosts file to point to the ipa server ip.

    • Oh my mistake.. i thought i am supposed to see the hostname of the host to which ipa user logged into, not the host from which he logged in. Thanks for the help.

    • Now i am again confused after you comment. From what i understand, i have logged into the freeipa server from the client machine using a user created on the server. (No ssh). What am i supposed to see ?

    • Here is how all the setup going on:
      They both are running as VM through Virtualbox. (bridge networking)
      They are on the LAN 192.168.8.0/24. I have setup the server and the client as you described(all same command) in the post. Only difference,i have used example.com instead of rhce.local.
      In the client machine i have edited the /etc/resolv.conf to look it like your one in the post . Now i have booted the client machine in multi user target . Logged in the console as user ‘rumi’ , which is not a local account to this machine, its a user created in the freeipa server.
      Now i use hostname command, what am i supposed to see? ipa server hostname or the client hostname?

    • All looks good, you configured your client machine for LDAP authentication. When you log into the client machine, you use an LDAP user (and not a local user as you mentioned). However, you still log into the client VM and not the FreeIPA VM.

  3. here is the screenshot of my console.

    And one more thing, how do i make the content of /etc/resolv.conf permanent? I mean changes i make will stay after reboot?
    Thanks

    • You can instruct the NetworkManager to stop modifying DNS settings by placing dns=none into /etc/NetworkManager/NetworkManager.conf.

      Or you can use a big hammer if truly desperate:

      # chattr +i /etc/resolv.conf
  4. Tomas,
    If you set tls_reqcert to never then the server certificate is never checked. The config will work even w/o copying the server certificate
    Thanks.

  5. Tomas,

    Is it supposed that after the actions described in this article I will be able to connect from a kerberos client to another kerberos client via ssh without a password?
    For example, I have ipa.example.com, krbclient1.example.com and krbclient2.example.com
    After all actions described in the article, I can connect to ipa.example.com from any of these two clients (like you wrote in the article). However, when I am trying to connect from one client to another, password is still prompted.

    By the way, thank you for your articles!

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *