Setting up LDAP and Kerberos Client Authentication on RHEL 7 (using sssd)

We are going to configure a RHEL 7 system to authenticate against FreeIPA using LDAP/Kerberos.

Prerequisites

To get Kerberos running, NTP synchronisation and DNS resolution must be working.

We are going to use the FreeIPA server which we set up previously. Check this post for how to setup a FreeIPA server on RHEL 7.

SSSD

The System Security Services Daemon (SSSD) provides access to different identity and authentication providers.

What SSSD does is allow a local service to check with a local cache in SSSD, but that cache may be taken from any variety of remote identity providers — an LDAP directory, an Identity Management domain, even a Kerberos realm.

Configure LDAP Authetication

We use a RHEL 7.0 server (instructions were also tested on a RHEL 7.2) with SELinux set to enforcing mode.

DNS is configured to point to the FreeIPA server:

# cat /etc/resolv.conf
search rhce.local
nameserver 10.8.8.70
# host 10.8.8.70
70.8.8.10.in-addr.arpa domain name pointer ipa.rhce.local.

Installation

# yum install -y sssd nss-pam-ldapd wget

Download the CA certificate from the IPA server to our local server:

# mkdir /etc/openldap/cacerts
# wget -P /etc/openldap/cacerts/ ftp://ipa.rhce.local/pub/cacert.p12

Configuration

Open the file /etc/sysconfig/authconfig and ensure the following are set:

USESSSDAUTH=yes
FORCELEGACY=no
USESSSD=yes

Once done, run the authconfig utility.

# authconfig-tui

In User Information, select Use LDAP, and under Authentication, select Use LDAP Authentication. In the LDAP Settings screen, select Use TLS and specify the following:

Server: ipa.rhce.local
Base DN: dc=rhce,dc=local

Open the file /etc/sssd/sssd.conf and add the following line:

ldap_tls_reqcert = never

Check man sssd-ldap for more options that are available.

Make sure nslcd is disabled, and sssd enabled:

# systemctl stop nslcd; systemctl disable nslcd
# systemctl enable sssd; systemctl restart sssd

Verify by logging in with an LDAP user:

# su - alice
su: warning: cannot change directory to /home/alice: No such file or directory
$ id
uid=1219400005(alice) gid=1219400005(alice) groups=1219400005(alice) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Configure Kerberos Authentication

Installation

# yum install -y pam_krb5 krb5-workstation

Configuration

I found erasing the file’s /etc/krb5.conf content helpful when configuring Kerberos authentication from scratch:

# > /etc/krb5.conf

Run the authconfig in a text mode:

# authconfig-tui

On the authentication Configuration screen, under Authentication, select Use Kerberos to enable Kerberos authorisation. In the LDAP Settings screen, do not change anything. In the Kerberos settings screen, specify the following:

Realm: RHCE.LOCAL
KDC: ipa.rhce.local
Admin Server: ipa.rhce.local

Obtain a Kerberos ticket for the Kerberos alice user:

# kinit alice

Verify the ticket:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting     Expires            Service principal
07/05/16 11:21:27  08/05/16 11:21:25  krbtgt/[email protected]

These are for references.

# cat /etc/krb5.conf
[libdefaults]
 default_realm = RHCE.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 RHCE.LOCAL = {
  kdc = ipa.rhce.local
  admin_server = ipa.rhce.local
 }

[domain_realm]
 rhce.local = RHCE.LOCAL
 .rhce.local = RHCE.LOCAL
# cat /etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_realm = RHCE.LOCAL
ldap_search_base = dc=rhce,dc=local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://ipa.rhce.local/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
krb5_server = ipa.rhce.local
krb5_store_password_if_offline = True
krb5_kpasswd = ipa.rhce.local
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[...]

Test Kerberos Configuration

# su - alice
su: warning: cannot change directory to /home/alice: No such file or directory
$ hostname
srv2.rhce.local
$ kinit
Password for [email protected]:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1219400005
Default principal: [email protected]

Valid starting     Expires            Service principal
07/05/16 12:04:44  87/05/16 12:04:42  krbtgt/[email protected]

We should be able to reconnect without giving any password:

$ ssh ipa.rhce.local
Could not create directory '/home/alice/.ssh'.
[...]
Could not chdir to home directory /home/alice: No such file or directory
$ hostname
ipa.rhce.local

42 thoughts on “Setting up LDAP and Kerberos Client Authentication on RHEL 7 (using sssd)

  1. Hi,
    i have noticed the use of
    tls_reqcert never in /etc/nslcd.conf for nslcd
    and
    ldap_tls_reqcert = never in /etc/sssd/sssd.conf for sssd.

    If I’m not wrong, this disable the use of tsl certificate. You can check this deleting the certification authority certificate (ca.crt) in /etc/openldap/cacerts.
    This because the authconfig-tui does not properly create hash link for the ca.crt.
    Instead authconfig-gtk properly create the hash link.
    Then I think is better to configure ldap authentication using authconfig-gtk.
    If you want to configure ldap/kerberos authentication using authconfig-tui, without disabling tls, you need to:

    Configure authentication ldap/kerberos using authconfig-tui. At end authconfig-tui warn you to copy the CA certificate in /etc/openldap/cacerts.

    cd /etc/openldap/cacerts

    IPA server CA certificate is /etc/ipa/ca.crt you can copy it in the pub ftp directory:
    – cp /etc/ipa.crt /var/ftp/pub/
    Then dowload it using wget:
    – wget -O ca.crt ftp://labipa.example.com/pub/ca.crt
    The we need to get the certificate hash:
    – /etc/pki/tls/misc/c_hash ca.crt
    example : 45e037a3.0 => ca.crt
    Now we need to properly create the hash link:
    – ln -s ca.crt 45e037a3.0

    then restart sssd

    • I’m afraid you misunderstood. It does not disable the TLS certificate.

      Setting ldap_tls_reqcert to “never” means that the client does not “request” a server certificate. Now whether the server sends its certificate or not is not under the client’s control, but setting it to “never” just tells the client to do no checking of the server certificate, if any, that is received.

    • Hi,
      yes but if I set tls_reqcert never or ldap_tls_reqcert never
      in nslcd or sssd I don’t need to dowload the CA certificate.

    • CentOS 7.3 creates symlink to /etc/openldap/cacerts/ca.crt (taken from FreeIPA host /etc/ipa/ca.crt) automatically after enabling TLS support using authconfig-tui.

      Note: LDAPS will not work with `cacert.p12` file. You need to copy CA certificate in `.crt` or `.pem` format.
      The easiest way is:

      1.
      [[email protected] ~]# mkdir /etc/openldap/cacerts
      [[email protected] ~]# scp ipa.rhce.local:/etc/ipa/ca.crt /etc/openldap/ca.crt

      2. Then enable TLS for LDAP using `authconfig-tui` utility.

      In this case you don’t need to use `ldap_tls_reqcert = never` on srv1.rhce.local.

  2. Is there a reason I can’t use ipa-client-install after I “yum -y install ipa-client” instead of going through all that?

  3. HI Tomas,

    DO I need to do all the tasks mentioned in “Setting up LDAP and Kerberos Client Authentication on RHEL 7 (using sssd) ” this page for RHCE exam . Please let me know . I am preparing now for the exam . Just I want to know clear idea about the task.
    Thanks in advance.

    • I cannot tell how many tasks mentioned here you need to do, but you surely need to know how to configure LDAP/Kerberos authentication. And be advised that you don’t have to stick with authconfig-tui if you don’t want to, it’s not the only option available for the job.

  4. @Tomas, please update the section for download of the ipa certificate. According to the following errata it should be replaced with “/etc/ipa.ca.crt”

    • That looks like a random link on the Internet that anyone can post and not a valid Errata per se. Do you happen to have a weblink to the Red Hat source?

  5. kerberos authentication for ssh doesn’t appear to work using the instructions given here. Is there anything that needs to be changed to allow ssh to use kerberos? I am using Redhat 7.3.

  6. Hi Tomas, thanks for this guide.

    I’ve got few questions, why you use here sssd instead of nslcd? Is it ok to use nslcd?

    Configuring sssd in this way, did not create sssd.conf automatically. Maybe I’ve missed something? As installing different packages previously I don’t have to configure it, it was created automatically, but not I cannot make it work.

    ps. works properly on RHEL 7.3 except sssd.conf

    • Hi Alex, you can use whichever you like, there is a guide for setting an LDAP client up with nslcd too.

      I haven’t tried the instructions on RHEL 7.3, therefore cannot really tell much, but on RHEL 7.0 and RHEL 7.2 it should work as per blog post.

  7. Thanks for this great article.

    This is bit confusing for me .
    Exam Objective is : Configure a system to authenticate using Kerberos

    Q1:
    Why would we need to Configure LDAP Authetication first and then
    Configure Kerberos Authentication

    Q2: ipa-client package will join the IPA server without any difficulties. If we use ipa-client only , will it work smoothly ???

    If you provide a short tutorial about IPA Server with ipa-client , I think will help us more.

    • Hi, these are excellent questions!

      In short, Kerberos is used for authentication to manage credentials securely while LDAP is used for holding authoritative information about user accounts, such as the user’s full name and uid, or what they’re allowed to access (authorisation).

      While LDAP can be used for both authentication and authorisation, it is best, in my opinion, to avoid using LDAP for authentication and go with Kerberos.

      Having said that, you do not need to configure LDAP in order to use Kerberos. For the exam you need to know how to configure Kerberos authentication.

      The ipa-client should work without issues, there is an example provided on the following page: https://www.lisenet.com/2016/kerberised-nfs-server-on-rhel-7/

  8. Hi,
    I followed these instructions exactly and I found that nslcd is started as well as sssd. Is this expected? I would expect only sssd to be started/enabled, correct?
    I’m following Sander van Vugts course (and his VMs, rhel 7.2) and got the same result. After some googling I found your site (very helpful!) and tried your guide ending up in the same situation where nslcd is started/used as well as sssd. nslcd is started only after configuring kerberos.
    Any idea what’s going wrong?

    Thanks,
    Stef

  9. Hi Tomas,
    Thanks for your reply. I did that and found nslcd was already disabled /not running.
    So to be clear, nslcd should not be running at all right?

    Thanks

  10. Hi Tomas,

    I followed your tutorial about configuring kerberos authentication with sssd on my centos 7.0 and when i’m running “kinit lisa” i’m getting the following error : ” kinit: Generic preauthentication failure while getting initial credentials ”
    but if i’m doing ” kinit admin ” it’s working , what could be the problem ?

    Regards,
    Pilcher

  11. Hello Tomas,

    Thanks for providing the guide and greate tutorials. I’m trying to apply above tutorial. IPA is working fine I created the user ALICE on IPA server. Now while configuring Kerberos on Serv2 followed line by line. when i tried to login to do “su – alice” on serv2 it slapped me with message “su: user alice does not exist” . Also even though i install the package for /etc/sssd/sssd.conf still sssd.conf file was not created , so i had to copy the file from “/usr/share/doc/sssd-common-1.11.2/sssd-example.conf” and save it as a /etc/sssd/sssd.conf.

    And uncommented last two lines and changed the realm
    krb5_server = ipa.rhce.local
    krb5_realm = RHCE.LOCAL

    Now when i try to start the service “systemctl start sssd” it gives another message.
    “Aug 29 14:41:27 serv2.rhce.local sssd[3245]: SSSD couldn’t load the configuration database [2]: No such file or directory.
    Aug 29 14:41:27 serv2.rhce.local systemd[1]: sssd.service: control process exited, code=exited status=4
    Aug 29 14:41:27 serv2.rhce.local systemd[1]: Failed to start System Security Services Daemon.

    Note: IPA server is Centos 7.2 and Serv2 is Centos 7.0

    Any idea what im missing

    • Do i also have to enable LDAP. yes i used authconfig-tui and authconfig-gtk

    • Hi all,
      I had same issue, firstly I tried same as you copying sssd.con from another location. But that i got “No such file or directory” error same as you..

      Then I try another approach.
      1. run authconfig-tui again UNCHECK “Use LDAP” and “Use Ldap configuration”, click Next.
      2. Then verify if you don’t forgot to configure setting in /etc/sysconfig/authconfig (this was maybe reason why sssd.conf was not generated at least in my case.
      3. run authconfig-tui again CHECK “Use LDAP” and “Use Ldap configuration”, click Next. Continue as you would according this tutorial.

  12. Is the ldap configuration still a part of the RHCE? I dont see that as an objective only the configuration for kerberos using a keytab file.

  13. Do we know what version of RHEL the exam is based on? Also any hint as to whether the admin credentials for the FreeIPA server are given or not? I would like to use ipa-client-install, as I still haven’t gotten this process working in getting Kerberos setup correctly.

    • The exam is based on RHEL 7.

      You need to know how to configure Kerberos client without admin credentials.

    • Is the keytab file provided? I’ve read that you can use that with ‘ipa-client-install -k keytabfile’ to avoid having to enter admin credentials, it would save allot of time on the exam if that’s the case.

      I’ve read some saying it was 7.0 and others stating it was a later release like 7.1+. My concern is with NFS with Kerberos and the difference in setup. I think on later releases certain things like nfs-secure-server and nfs-secure don’t need to be started?

    • You need to know how to use the keytab file.

      If you practise Kerberos configuration on different RHEL releases, then it won’t matter which version the exam is on. You can always contact Red Hat to clarify the OS version.

Leave a Reply

Your email address will not be published. Required fields are marked *