5.3. Managing and Configuring a Cross-forest Trust Environment
5.3.1. User Principal Names in a Trusted Domains Environment
IdM supports the logging in using user principal names (UPN). A UPN is an alternative to the user name to authenticate with, and has the format
username@KERBEROS-REALM
. In an Active Directory forest it is possible to configure additional UPN suffixes. These enterprise principal names are used to provide alternative logins to the default UPN.
For example, if a company uses the Kerberos realm
AD.EXAMPLE.COM
, the default UPN for a user is user@ad.example.com
. However often a company want instead their users to be able to log in using their email addresses, like user@example.com
. In this case the administrator adds an additional UPN suffix example.com
to the Active Directory forest and sets the new suffix in the user's account properties.
UPN suffixes are only visible for IdM when defined in the AD forest root. As an AD administrator, you can define UPNs with the
Active Directory Domain and Trust
utility or the PowerShell
command line tool.
Note
To configure UPN suffixes for users, Red Hat recommends to use tools that perform error validation, such as the
Active Directory Domain and Trust
utility.
Red Hat recommends against configuring UPNs through low-level modifications, such as using
ldapmodify
commands to set the userPrincipalName
attribute for users, because Active Directory does not validate those operations.
When you add or remove UPN suffixes in a trusted AD forest, you have to refresh the information for the trusted forest on the IdM master:
[root@ipaserver ~]# ipa trust-fetch-domains Realm-Name: ad.example.com ------------------------------- No new trust domains were found ------------------------------- ---------------------------- Number of entries returned 0 ----------------------------
Verify that the alternative UPN was fetched, by running:
[root@ipaserver ~]# ipa trust-show
Realm-Name: ad.example.com
Realm-Name: ad.example.com
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-796215754-1239681026-23416912
Trust direction: Two-way trust
Trust type: Active Directory domain
UPN suffixes: example.com
The UPN suffixes for a domain are stored in the multi-value attribute
ipaNTAdditionalSuffixes
in the cn=trusted_domain_name,cn=ad,cn=trusts,dc=idm,dc=example,dc=com
subtree.
5.3.2. IdM Clients in an Active Directory DNS Domain
In some environments with trusts between IdM and Active Directory, you can install an IdM client on a host that is part of the Active Directory DNS domain. The host can then benefit from the Linux-focused features of IdM.
Important
This is not a recommended configuration and has some limitations. Red Hat recommends to always deploy IdM clients in a DNS zone different from the ones owned by Active Directory and access IdM clients through their IdM host names.
5.3.2.1. Kerberos Single Sign-on to the IdM Client is not Required
For IdM clients set up in the Active Directory DNS domain, only password authentication is available to access resources on this IdM host. To configure the client for this scenario:
- To ensure that the System Security Service Daemon (SSSD) on the client can communicate with the IdM servers, install the IdM client with the
--domain=IPA_DNS_Domain
option:[root@idm-client.ad.example.com ~]# ipa-client-install --domain=idm.example.com
This option disables the SRV record auto-detection for the Active Directory DNS domain. - Locate the existing mapping for the Active Directory domain in the
[domain_realm]
section of the/etc/krb5.conf
configuration file:.ad.example.com = IDM.EXAMPLE.COM ad.example.com = IDM.EXAMPLE.COM
Replace both lines with a mapping entry for the Linux clients fully qualified domain name (FQDN) in the Active Directory DNS zone to the IdM realm:idm-client.ad.example.com = IDM.EXAMPLE.COM
Replacing the default mapping prevents Kerberos from sending its requests for the Active Directory domain to the IdM Kerberos Distribution Center (KDC). Instead Kerberos uses auto-discovery through SRV DNS records to locate the KDC. Only for the added hostidm-client.ad.example.com
the IdM KDC is set.
Note
Authenticating to resources on clients that are not within an IdM-owned DNS zone is only possible by using user name and password.
Handling of SSL certificates
SSL-based services require a certificate with dNSName extension records that cover all system host names, because both original (A/AAAA) and CNAME records must be in the certificate. Currently, IdM only issues certificates to host objects in the IdM database.
In the described setup without single sign-on available, IdM already has a host object for the FQDN in the database, and
certmonger
can request a certificate for this name:
[root@idm-client.ad.example.com ~]# ipa-getcert request -r \ -f /etc/httpd/alias/server.crt \ -k /etc/httpd/alias/server.key \ -N CN=ipa-client.ad.example.com \ -D ipa-client.ad.example.com \ -K host/idm-client.ad.example.com@IDM.EXAMPLE.COM \ -U id-kp-serverAuth
The
certmonger
service uses the default host key stored in the /etc/krb5.keytab
file to authenticate to the IdM Certificate Authority (CA).
5.3.2.2. Kerberos Single Sign-on to the IdM Client is Required
If you require Kerberos single sign-on to access resources on the IdM client, the client must be within the IdM DNS domain, for example
idm-client.idm.example.com
. You must create a CNAME record idm-client.ad.example.com
in the Active Directory DNS domain pointing to the A/AAAA record of the IdM client.
For Kerberos-based application servers, MIT Kerberos supports a method to allow the acceptance of any host-based principal available in the application's keytab. To disable the strict checks on what Kerberos principal was used to target the Kerberos server, set the following option in the
[libdefaults]
section of the /etc/krb5.conf
configuration file:
ignore_acceptor_hostname = true
Handling of SSL certificates
SSL-based services require a certificate with dNSName extension records that cover all system host names, because both original (A/AAAA) and CNAME records must be in the certificate. Currently, IdM only issues certificates to host objects in the IdM database.
In the described setup without single sign-on available, IdM already has a host object for the FQDN in the database, and
certmonger
can request a certificate for this name:
- Create a new host object:
[root@idm-server.idm.example.com ~]# ipa host-add idm-client.ad.example.com --force
Use the--force
option, because the host name is a CNAME and not an A/AAAA record. - Allow the IdM DNS host name to manage the Active Directory host entry in the IdM database:
[root@idm-server.idm.example.com ~]# ipa host-add-managedby idm-client.ad.example.com \ --hosts=idm-client.idm.example.com
With this setup, the IdM client can request an SSL certificate with dNSName extension record for its host name within the Active Directory DNS domain:
[root@idm-client.idm.example.com ~]# ipa-getcert request -r \ -f /etc/httpd/alias/server.crt \ -k /etc/httpd/alias/server.key \ -N CN=`hostname --fqdn` \ -D `hostname --fqdn` \ -D idm-client.ad.example.com \ -K host/idm-client.idm.example.com@IDM.EXAMPLE.COM \ -U id-kp-serverAuth
5.3.3. Creating IdM Groups for Active Directory Users
User groups are required to set access permissions, host-based access control, sudo rules, and other controls on IdM users. These groups are what grant access to IdM domain resources, as well as restricting access.
Both AD users and AD groups can be added directly to IdM user groups. To do that, first add the AD users or groups to a non-POSIX IdM external group and then to a local IdM POSIX group. The POSIX group can then be used for user and role management of the AD users. The principles of handling non-POSIX groups in IdM are described in Section 5.1.3.2, “Active Directory Users and Identity Management Groups”.
Note
It is also possible to add AD user groups as members to IdM external groups. This might make it easier to define policies for Windows users, by keeping the user and group management within the single AD realm.
- Optional. Create or select the group in the AD domain to use to manage AD users in the IdM realm. Multiple groups can be used and added to different groups on the IdM side.
- Create an external group in the IdM domain for the Active Directory users by adding the
--external
option to theipa group-add
command. The--external
option indicates that this group is intended to contain members from outside the IdM domain. For example:[root@ipaserver ~]# ipa group-add --desc='AD users external map' ad_users_external --external ------------------------------- Added group "ad_users_external" ------------------------------- Group name: ad_users_external Description: AD users external map
Note
The external group must be linked to a additional group of a user and not to the user's primary group. Active Directory stores group members inmember
attributes of a group, and IdM uses this attribute to resolve the members. However, Active Directory stores the primary group of users in theprimaryGroupID
attribute in the user's entry, which is not resolved. - Create a new IdM POSIX group or select an existing one for administering the IdM policies. For example, to create a new group:
[root@ipaserver ~]# ipa group-add --desc='AD users' ad_users ---------------------- Added group "ad_users" ---------------------- Group name: ad_users Description: AD users GID: 129600004
- Add the AD users or groups to the IdM external group as an external member. The AD member is identified by its fully-qualified name, such as
DOMAIN\group_name
orDOMAIN\username
. The AD identity is then mapped to the Active Directory SID for the user or group.For example, for an AD group:[root@ipaserver ~]# ipa group-add-member ad_users_external --external "AD\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map External member: S-1-5-21-3655990580-1375374850-1633065477-513 SID_DOM_GROUP (2) ------------------------- Number of members added 1 -------------------------
- Add the external IdM group to the POSIX IdM group as a member. For example:
[root@ipaserver ~]# ipa group-add-member ad_users --groups ad_users_external Group name: ad_users Description: AD users GID: 129600004 Member groups: ad_users_external ------------------------- Number of members added 1 -------------------------
5.3.4. Maintaining Trusts
Trust management involves several areas, such as global trust configuration, Kerberos trust configuration, DNS realm configuration, or ID ranges assignment to Active Directory users.
5.3.4.1. Editing the Global Trust Configuration
The
ipa-adtrust-install
utility automatically automatically configures background information for the IdM domain which is required to create a trust with the Active Directory domain.
The global trust configuration contains five attributes:
- A Windows-style security ID (SID); this attribute is autogenerated and cannot be modified
- A domain GUID; this attribute is autogenerated and cannot be modified
- A Kerberos domain name; this attribute comes from the IdM configuration and cannot be modified
- The default group to which to add IdM users; this attribute can be modified
- The NetBIOS name; it is not recommended to modify this attribute
The trust configuration is stored in the
cn=domain,cn=ad,cn=etc,dc=example,dc=com
subtree.
5.3.4.1.1. Changing the NetBIOS Name
Important
Changing the NetBIOS name in most cases requires to re-establish all existing trusts. Therefore, Red Hat recommends not to change the attribute.
A NetBIOS name compatible within an Active Directory topology is configured for the IdM server when running the
ipa-adtrust-install
utility. To change it later, run ipa-adtrust-install
again and specify the new NetBIOS name using the --netbios-name
option:
[root@ipaserver ]# ipa-adtrust-install --netbios-name=NEWBIOSNAME
5.3.4.1.2. Changing the Default Group for Windows Users
When Identity Management is configured to trust an Active Directory forest, an MS-PAC record is added to the Kerberos tickets of IdM users. An MS-PAC record contains security identifiers (SIDs) of the groups to which an IdM user belongs. If the primary group of the IdM user has no SID assigned, the value of the security identifier defined for the Default SMB Group will be used. The same logic is applied by the Samba suite when the AD domain controller requests user information from the IdM trust controller.
The Default SMB Group is a fallback group created automatically by the
ipa-adtrust-install
utility. The default group cannot be deleted, but you can use the global trust configuration to specify another IdM group to be used as a fallback for the primary group of the IdM users.
To set the default group from the command line, use the
ipa trustconfig-mod
command:
[root@server ~]# kinit admin [root@server ~]# ipa trustconfig-mod --fallback-primary-group="Example Windows Group"
To set the default group from the IdM web UI:
- Open the IdM web UI.
https://ipaserver.example.com
- Under the IPA Server main tab, select the Trusts subtab, and then open the Global Configuration section.
- Select a new group from all of the IdM groups in thedrop-down list.
Figure 5.6. Configuring the Default Group for Windows Users
- Clickto save the new configuration.
5.3.4.2. Discovering, Enabling, and Disabling Trust Domains
A transitive trust means that the trust path can follow a chain of domains. It is described in more detail in Section 5.1.1, “The Architecture of a Trust Relationship”.
IdM has a trust with the root domain in a forest and, due to transitivity, all of its child domains and other domains from the same forest are implicitly included in that trust. IdM follows that topology as Windows users from anywhere in the forest attempt to access IdM resources. Each domain and child domain is a trust domain in the IdM trust configuration. Each domain is stored in its own entry,
cn=subdomain,cn=trust_name,cn=ad,cn=trusts,dc=example,dc=com
in the trusts subtree.
IdM attempts to discover and map the full Active Directory topology when the trust is first configured, although in some cases it is required or beneficial to retrieve that topology manually. That is done with the
trust-fetch-domains
command:
[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa trust-fetch-domains ad.example.com -------------------------------------------- List of trust domains successfully refreshed -------------------------------------------- Realm name: test.ad.example.com Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-87535643-5658642561-5780864324 Realm name: users.ad.example.com Domain NetBIOS name: USERS Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Realm name: prod.ad.example.com Domain NetBIOS name: PROD Domain Security Identifier: S-1-5-21-46580863-3346886432-4578854233 ---------------------------- Number of entries returned 3 ----------------------------
Note
When adding a trust with a shared secret, you need to manually retrieve topology of the AD forest. After running the
ipa trust-add ad.domain --trust-secret
command, validate incoming trust at AD side using forest trust properties in the AD Domains and Trusts tool. Then, run the ipa trust-fetch-domains ad.domain
command. IdM will receive information about the trust, which will then be usable.
Once the topology is retrieved (through automatic or manual discovery), individual domains and child domains in that topology can be enabled, disabled, or removed entirely within the IdM trust configuration.
For example, to disallow users from a specific child domain from using IdM resources, disable that trust domain:
[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa trustdomain-disable test.ad.example.com ------------------------------------------ Disabled trust domain "test.ad.example.com" ------------------------------------------
That trust domain can be re-enabled using the
trustdomain-enable
command.
If a domain should be permanently removed from the topology, than it can be deleted from the IdM trust configuration.
[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa trustdomain-del prod.ad.example.com ------------------------------------------------------------------- Removed information about the trusted domain " "prod.ad.example.com" -------------------------------------------------------------------
5.3.4.3. Viewing and managing domains associated with IdM Kerberos realm
Domains that are associated with the IdM Kerberos realm are stored in the
cn=Realm Domains,cn=ipa,cn=etc,dc=example,dc=com
subtree in the IdM directory. The list of domains is used by IdM when it establishes a trust with Active Directory. Knowing the full list of domains managed by IdM allows the AD domain controller to know which authentication requests to route to the IdM KDC. The list of configured domains associated with IdM realm can be displayed using the realmdomains-show
command:
[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa realmdomains-show Domain: ipa.example.org, ipa.example.com, example.com
In an IdM setup with integrated DNS:
- A domain is automatically added to the domains list after a new DNS zone is added to IdM using the
ipa dnszone-add
command. Runningipa realmdomains-show
shows the new domain in the list of domains controlled by the IdM KDC:# kinit admin # ipa dnszone-add ipa2.example.com # ipa realmdomains-show Domain: ipa.example.org, ipa.example.com, example.com, ipa2.example.com
Deletion and other types of modification of domains associated with the IdM Kerberos realm are also taken care of automatically.
In an IdM setup without integrated DNS:
- If a DNS zone has been added that is part of the IdM Kerberos realm, the new domain has to be added manually to the IdM list of domains under the control of the IdM KDC. Add the new domain using the
ipa realmdomains-mod
command with the--add-domain
option:[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa realmdomains-mod --add-domain=ipa2.example.com Domain: ipa.example.org, ipa.example.com, example.com, ipa2.example.com
If a DNS zone has been deleted, you need to delete the domain associated with the IdM Kerberos realm manually, too:[root@ipaserver ~]# kinit admin [root@ipaserver ~]# ipa realmdomains-mod --del-domain=ipa2.example.com Domain: ipa.example.org, ipa.example.com, example.com
If there are multiple changes to be made to the list of domains, the list itself can be modified and replaced using the--domain
option.[root@ipaserver ~]# ipa realmdomains-mod --domain={ipa.example.org,ipa2.example.com}
5.3.4.4. Adding Ranges for UID and GID Numbers in a Transitive Trust
Creating ID ranges at the time when a trust is originally configured is described in the section called “ID Ranges”. To add an ID range later, use the
ipa idrange-add
command with the following options:
- the
--base-id
option sets the base ID for the POSIX range, which is the starting number - The
--range-size
option sets the size of the POSIX ID range IdM uses. IdM maps the RID of users and groups in a trusted AD domain to POSIX IDs. The--range-size
option defines the maximum number of IDs IdM creates. AD uses a new RID for each user and group you create. If you delete a user or group, AD will not re-use the RID for future AD entries. Therefore, the range must be large enough for IdM to assign an ID to each existing AD user and group as well as the ones you create in the future. For example, if an administrator deletes 20000 of 50000 AD users and will, during the time, create 10000 new accounts, the range must be at least set to 60000. However, it is important that the range also contains enough reserves. In large environments, in which you expect that the default (200000) range size is not sufficient, set--range-size
to a higher value. - the
--rid-base
option sets the starting number of the RID, which is the far-right number in the SID; the value represents the range to add to the base ID to prevent conflicts - the
--dom-sid
option sets the domain SID, because there can be multiple domains configured for trusts
In the following example, the base ID is 1,200,000 and the RID is 1,000. The resulting ID number is then 1,201,000.
[root@server ~]$ kinit admin [root@server ~]$ ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 --dom-sid=S-1-5-21-123-456-789 trusted_dom_range
Important
Make sure that the manually defined ID range does not overlap with the ID range used by IdM.
5.3.4.5. Adjusting DNA ID ranges manually
In some cases, you may need to manually adjust Distributed Numeric Assignment (DNA) ID ranges for existing replicas, for example to recover a DNA ID range assigned to a non-functioning replica or to extend a range that has run out of IDs.
When adjusting a DNA ID range manually, make sure that the newly adjusted range is included in the IdM ID range. You can check this using the
ipa idrange-find
command. If the newly adjusted range is not included in the IdM ID range, the command fails.
To recover a DNA ID range from a non-functioning replica, use the
ipa-replica-manage dnarange-show
command to see currently assigned DNA ranges. To see the currently assigned on-deck DNA ranges, use the ipa-replica-manage dnanextrange-show
command.
Important
Do not create overlapping ID ranges. If any of the ID ranges you assign to servers or replicas overlap, it could result in two different servers assigning the same ID value to different entries.
To define the current DNA ID range for a specified server, use the
ipa-replica-manage dnarange-set
command:
# ipa-replica-manage dnarange-set masterA.example.com 1250-1499
To define the next DNA ID range for a specified server, use the
ipa-replica-manage dnanextrange-set
command:
# ipa-replica-manage dnanextrange-set masterB.example.com 1500-5000
5.3.4.6. Kerberos Flags for Services and Hosts
Accessing services or hosts in a trusted domain can require special flags for the Kerberos ticket-granting ticket (TGT). For example, if you want to log in using single sign-on to an IdM client with an Active Directory (AD) account from an AD client, the Kerberos TGT flag
OK_AS_DELEGATE
is required.
For more information and how to set Kerberos flags, see Kerberos Flags for Services and Hosts in the Linux Domain Identity, Authentication, and Policy Guide.
5.3.5. Setting PAC Types for Services
On IdM resources, if an Active Directory user requests a ticket for a service, then IdM forwards the request to Active Directory to retrieve the user information. Access data, associated with the Active Directory group assignments for the user, is sent back by Active Directory and embedded in the Kerberos ticket.
Group information in Active Directory is stored in a list of identifiers in each Kerberos ticket for Active Directory users in a special data set called privileged access certificates or MS-PAC. The group information in the PAC has to be mapped to the Active Directory groups and then to the corresponding IdM groups to help determine access.
IdM services can be configured to generate PACs for each authentication request when a user first attempts to authenticate to a domain service.
5.3.5.1. Setting Default PAC Types
The IdM server configuration defines which PAC types are generated by default for a service. The global settings can be overridden by changing the local settings on a specific service.
- Open the IPA Server tab.
- Select the Configuration subtab.
- Scroll to the Service Options area.
Figure 5.7. The Service Options Area
- To use PAC, select the MS-PAC check box, which adds a certificate that can be used by AD services. If no check box is selected, then no PAC is added to Kerberos tickets.If you select the nfs:NONE check box, the MS-PAC record will not be added to the service tickets issued against NFS servers.
Note
You can ignore the PAD check box. This functionality is not yet available in IdM. - Click the Update link at the top of the page to save the changes.
5.3.5.2. Setting PAC Types for a Service
The global policy sets what PAC types to use for a service if nothing is set explicitly for that service. However, the global settings can be overridden on the local service configuration.
To change the PAC setting from the command line, use the
ipa service-mod
command with the --pac-type
option. For information on how to use the command, run it with the --help
option added:
$ ipa service-mod --help Usage: ipa [global-options] service-mod PRINCIPAL [options] Modify an existing IPA service. Options: -h, --help show this help message and exit ...
To change the PAC setting in the web UI:
- Open the Identity tab, and select the Services subtab.
- Click the name of the service to edit.
- In the Service Settings area, check the Override inherited settings option and then select the MS-PAC check box to add a certificate that can be used by AD services.
Figure 5.8. The Service Settings Area
If no check box is selected, then no PACs are added to Kerberos tickets.Note
You can ignore the PAD check box. This functionality is not yet available in IdM. - Click the Update link at the top of the page to save the changes.
5.3.6. Using POSIX Attributes Defined in Active Directory
5.3.6.1. Defining UID and GID Attributes for Active Directory Users
If the Windows administrator manually defines POSIX UID and GID attributes for a user, create a matching group on the IdM server with the same GID for the user.
Creating the group ensures that the user is associated with a primary user group. If such group does not exist, the IdM server is unable to look up all groups to which the user belongs.
5.3.6.2. Transferring Login Shell and Home Directory Attributes
Important
The client must be enrolled with an IdM server based on Red Hat Enterprise Linux 7.1 or later to benefit from this functionality.
SSSD is able to read the following attribute values from an Active Directory server in a trust relationship with IdM:
- the
loginShell
attribute, which specifies the AD user's shell - the
unixHomeDirectory
attribute, which specifies the AD user's home directory
When a custom shell or home directory value is defined on the AD server using these attributes, the custom value is then displayed to the IdM client for the AD user. Therefore, the same user shell is displayed for the AD user both on the AD side and on the IdM side.
Note that to display the AD user's home directory to the IdM client, the
subdomain_homedir
option in the [domain]
section of the /etc/sssd/sssd.conf
file on the IdM server must be set to %o
. The %o
value represents the home directory retrieved from the identity provider. For example:
[domain/example.com] subdomain_homedir = %o
If the AD administrator modifies
loginShell
or unixHomeDirectory
on the AD side, the change is automatically reflected on the IdM side as well. If the attributes are not defined on the AD server, SSSD uses a template default value. This default value is then displayed to the IdM client.
5.3.7. Using SSH from Active Directory Machines for IdM Resources
When a trust is configured, Active Directory users can access machines, services, and files on IdM hosts using SSH and their AD credentials.
5.3.7.1. Caching Considerations
IdM clients do not connect to Active Directory domain controllers (DC) directly to retrieve user attributes. Instead, a client connects to an IdM server who caches this information. For this reason, if you disable a user in Active Directory, the user can still authenticate to IdM clients using SSH key authentication until the record of the user expires in the IdM database.
IdM updates a record of a user in the following situations:
- The entry has expired automatically.
- You manually expire the entry of the user in the cache using the
sss_cache
utility:# sss_cache --user user_name
- The user authenticates to an IdM server using the
kinit
utility or the web UI.
5.3.7.2. Using SSH Without Passwords
The
localauth
Kerberos plug-in for local authorization ensures that Kerberos principals are automatically mapped to local SSSD user names. With localauth
, Windows users from a trusted AD domain are not prompted for a password when logging in using Kerberos and can therefore use SSH without passwords.
The plug-in provides a reliable mapping mechanism across multiple realms and trusts: when
sssd
connects to the Kerberos library to map the principal to a local POSIX identity, the SSSD plug-in maps them according to the trust agreements defined in IdM.
In certain situations, users use an SSH bastion host to access other Red Hat Enterprise Linux machines. By default, if you use Kerberos to authenticate to SSH on the bastion host, the Kerberos ticket cannot be forwarded to authenticate using Kerberos to other Red Hat Enterprise Linux hosts. To enable such forward authentication, add the
OK_AS_DELEGATE
Kerberos flag to the bastions host principal:
# ipa host-mod bastion_host.idm.example.com --ok-as-delegate=true
Kerberos Authentication for AD Users on Red Hat Enterprise Linux 7.1 and newer Systems
In Red Hat Enterprise Linux 7.1 and newer systems, SSSD automatically configures the
localauth
Kerberos plug-in.
SSSD allows user names in the format
user@AD.DOMAIN
, ad.domain\user
and AD\user
.
Note
On systems with
localauth
, it is not required to set the auth_to_local
option in the /etc/krb5.conf
file or list Kerberos principals in the .k5login
file. The localauth
plug-in makes this previously used configuration for logins without passwords obsolete.
Manual Configuration of Kerberos Authentication for AD Users
On systems where the
localauth
plug-in is not present, SSH prompts for a user password for Active Directory domain users even if the user obtains a proper Kerberos ticket.
To enable Active Directory users to use Kerberos for authentication in this situation, configure the
auth_to_local
option in the /etc/krb5.conf
file or list the user Kerberos principals in the .k5login
file in the home directory of the user.
- Configuring
/etc/krb5.conf
- The following procedure describes how to configure realm mapping in the Kerberos configuration.
- Open the
/etc/krb5.conf
file. - In the
[realms]
section, identify the IdM realm by name, and then add twoauth_to_local
lines to define the Kerberos principal name mapping:- In one rule, include a rule to map different Active Directory user name formats and the specific Active Directory domain.
- In the other rule, set the value of
DEFAULT
, for standard Unix user names.
For example:[realms] IDM = { .... auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN$)s/@ADDOMAIN/@addomain/ auth_to_local = DEFAULT }
- Restart the KDC service.
[root@server ~]# systemctl restart krb5kdc.service
Note that if you configure Kerberos authentication using theauth_to_local
option, the user name used for SSH access must meet the following criteria:- The user name must have the format
ad_user@ad_domain
. - The domain name must be lowercase.
- The case of the user name must match the case of the user name in Active Directory. For example,
user
andUser
are considered different users because of the different cases.
For more information about settingauth_to_local
, see the krb5.conf(5) man page. - Configuring
.k5login
- The following procedure configures the system to find the Kerberos principal name for a local user name.
- Create the
.k5login
file in the user's home directory. - List the Kerberos principals used by the user in the file.
If the authenticating user matches the principal in an existing Kerberos ticket, the user is allowed to log in using the ticket and is not prompted for a password.Note that if you configure Kerberos authentication using the.k5login
configuration, the user name used for SSH access must have the formatad_user@ad_domain
.For more information about configuring the.k5login
file, see the .k5login(5) man page.
Either one of these configuration procedures results in AD users being able to log in using Kerberos.
5.3.8. Using a Trust with Kerberos-enabled Web Applications
Any existing web application can be configured to use Kerberos authentication, which references the trusted Active Directory and IdM Kerberos realms. For the full Kerberos configuration directives, see the Configuration page for the mod_auth_kerb module.
Note
After changing the Apache application configuration, restart the Apache service:
[root@ipaserver ~]# systemctl restart httpd.service
For example, for an Apache server, there are several options that define how the Apache server connects to the IdM Kerberos realm:
KrbAuthRealms
- The
KrbAuthRealms
option gives the application location to the name of the IdM domain. This is required. Krb5Keytab
- The
Krb5Keytab
option gives the location for the IdM server keytab. This is required. KrbServiceName
- The
KrbServiceName
option sets the Kerberos service name used for the keytab (HTTP). This is recommended. KrbMethodK5Passwd
andKrbMethodNegotiate
- The
KrbMethodK5Passwd
Kerberos method option enables password-based authentication for valid users. TheKrbMethodNegotiate
option enables single sign-on (SSO) if a valid Kerberos ticket is available.These options are recommended for ease of use for many users. KrbLocalUserMapping
- The
KrbLocalUserMapping
option enables normal web logins (which are usually the UID or common name of the account) to be mapped to the fully-qualified user name (which has a format of user@REALM.COM).This option is strongly recommended. Without the domain name/login name mapping, the web login appears to be a different user account than the domain user. This means that users cannot see their expected data.For information on supported user name formats, see Section 5.2.1.9, “Supported User Name Formats”.
Example 5.1. Kerberos Configuration in an Apache Web Application
<Location "/mywebapp"> AuthType Kerberos AuthName "IPA Kerberos authentication" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTPKrbAuthRealms IDM_DOMAIN
Krb5Keytab /etc/httpd/conf/ipa.keytab
KrbLocalUserMapping on
KrbSaveCredentials off Require valid-user </Location>
5.3.9. Configuring an IdM server as a Kerberos Distribution Center Proxy for Active Directory Kerberos communication
In certain situations, network restrictions or firewall rules prevent Identity Management (IdM) clients from sending Kerberos traffic to port 88 on Active Directory (AD) domain controllers. The solution is to set up a Kerberos proxy, for instance on an Identity Management server, to relay traffic from IdM clients to AD.
- On IdM clients, add the Active Directory realm to the [realms] section of the
/etc/krb5.conf
file. Set thekdc
andkpasswd_server
parameters to point to the IdM server's fully qualified domain name followed by/KdcProxy
':AD.EXAMPLE.COM = { kdc = https://server.idm.example.com/KdcProxy kpasswd_server = https://server.idm.example.com/KdcProxy }
- On IdM clients, disable the creation of
/var/lib/sss/pubconf/kdcinfo.*
files which could override the/etc/krb5.conf
specifications from the previous step. Edit the/etc/sssd/sssd.conf
file, setting thekrb5_use_kdcinfo
toFalse
:[domain/example.com] krb5_use_kdcinfo = False
- On IdM servers, set the
use_dns
option totrue
in the/etc/ipa/kdcproxy/kdcproxy.conf
file to utilize DNS service (SRV) records to find AD servers to communicate with:use_dns = true
Alternatively, if you do not want to use DNS SRV records, add explicit AD servers to the [realms] section of the/etc/krb5.conf
file:AD.EXAMPLE.COM = { kdc = ad-server.ad.example.com kpasswd_server = ad-server.ad.example.com }
Note
You can perform steps 2 and 3 of the procedure by running a script, for example an Ansible script. This is especially useful when making changes on multiple systems. - On IdM servers, restart IPA services:
# ipactl restart
- To verify that the procedure has been successful, run the following on an IdM client:
# rm /var/lib/sss/pubconf/kdcinfo* # kinit ad_user@AD.EXAMPLE.COM Password for ad_user@AD.EXAMPLE.COM: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad_user@AD.EXAMPLE.COM Valid starting Expires Service principal [... output truncated ...]