Red Hat SummitChapter 5. Configuring Kerberos SSO for Active Directory users in Satellite
If the base system of your Satellite Server is connected directly to Active Directory (AD), you can configure AD as an external authentication source for Satellite. Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored.
AD users can log in using the following methods:
- Username and password
- Kerberos single sign-on
You can also connect your Satellite deployment to AD in the following ways:
- By using indirect AD integration. With indirect integration, your Satellite Server is connected to a Identity Management server which is then connected to AD. For more information, see Chapter 3, Configuring Kerberos SSO with Identity Management in Satellite.
- By attaching the LDAP server of the AD domain as an external authentication source with no single sign-on support. For more information, see Chapter 6, Configuring an LDAP server as an external identity provider for Satellite. For an example configuration, see How to configure Active Directory authentication with TLS on Satellite.
5.1. Configuring the Active Directory authentication source on Satellite Server
Enable Active Directory (AD) users to access Satellite by configuring the corresponding authentication provider on your Satellite Server.
Prerequisites
The base system of your Satellite Server must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:
Install the following packages on Satellite Server:
satellite-maintain packages install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd
# satellite-maintain packages install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssdCopy to Clipboard Copied! Specify the required software when joining the AD domain:
realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd
# realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssdCopy to Clipboard Copied! For more information on direct AD integration, see Connecting RHEL systems directly to AD using Samba Winbind.
Procedure
Define AD realm configuration in a location where satellite-installer expects it:
Create a directory named
/etc/ipa/:mkdir /etc/ipa/
# mkdir /etc/ipa/Copy to Clipboard Copied! Create the
/etc/ipa/default.conffile with the following contents to configure the Kerberos realm for the AD domain:[global] realm = AD.EXAMPLE.COM
[global] realm = AD.EXAMPLE.COMCopy to Clipboard Copied!
Configure the Apache keytab for Kerberos connections:
Update the
/etc/samba/smb.conffile with the following settings to configure how Samba interacts with AD:[global] workgroup = AD.EXAMPLE realm = AD.EXAMPLE.COM kerberos method = system keytab security = ads
[global] workgroup = AD.EXAMPLE realm = AD.EXAMPLE.COM kerberos method = system keytab security = adsCopy to Clipboard Copied! Add the Kerberos service principal to the keytab file at
/etc/httpd/conf/http.keytab:KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf
# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.confCopy to Clipboard Copied!
Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the
foremanPAM service:In the
[domain/ad.example.com]section of your/etc/sssd/sssd.conffile, configure thead_gpo_access_controlandad_gpo_map_serviceoptions as follows:[domain/ad.example.com] ad_gpo_access_control = enforcing ad_gpo_map_service = +foreman
[domain/ad.example.com] ad_gpo_access_control = enforcing ad_gpo_map_service = +foremanCopy to Clipboard Copied! For more information on GPOs, see the following documents:
- How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 9)
- How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 8)
Restart SSSD:
systemctl restart sssd
# systemctl restart sssdCopy to Clipboard Copied!
Enable the authentication source:
satellite-installer --foreman-ipa-authentication=true
# satellite-installer --foreman-ipa-authentication=trueCopy to Clipboard Copied!
Verification
-
To verify that AD users can log in to Satellite by entering their credentials, log in to Satellite web UI at https://satellite.example.com. Enter the user name in the user principal name (UPN) format, for example:
ad_user@AD.EXAMPLE.COM. To verify that AD users can authenticate by using Kerberos single sign-on:
Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:
kinit ad_user@AD.EXAMPLE.COM
$ kinit ad_user@AD.EXAMPLE.COMCopy to Clipboard Copied! Verify user authentication by using your TGT:
curl -k -u : --negotiate https://satellite.example.com/users/extlogin
$ curl -k -u : --negotiate https://satellite.example.com/users/extlogin <html><body>You are being <a href="satellite.example.com/hosts">redirected</a>.</body></html>Copy to Clipboard Copied!
Troubleshooting
Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:
Authentication failed with status code: { "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }Authentication failed with status code: { "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }Copy to Clipboard Copied! If you see this error, verify which cipher is used for the connection:
openssl s_client -connect ldap.example.com:636
# openssl s_client -connect ldap.example.com:636Copy to Clipboard Copied! If the
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384cipher is used, disable it on either the Satellite Server side or on the AD side. TheTLS_DHE_RSA_WITH_AES_256_GCM_SHA384cipher is known to cause incompatibilities.For more information, see the Red Hat Knowledgebase solution API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication.
Additional resources
-
sssd-ad(5)man page on your system - For information about configuring Mozilla Firefox for Kerberos, see Configuring Firefox to use Kerberos for single sign-on in Red Hat Enterprise Linux 9 Configuring authentication and authorization in RHEL.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}