Product SiteDocumentation Site

9.2.6. Setting Up Kerberos Authentication

In order to set up Kerberos authentication, you need to know the address of your key distribution center (KDC) and the Kerberos domain. The client configuration is then stored in the /etc/sssd/sssd.conf file.
The Kerberos 5 authentication back end does not contain an identity provider and must be paired with one in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication back end must be supplied by the identity provider, such as the user's Kerberos Principal Name (UPN). The identity provider configuration should contain an entry to specify this UPN. Refer to the manual page for the applicable identity provider for details on how to configure the UPN.
If the UPN is not available in the identity back end, SSSD will construct a UPN using the format username@krb5_realm.
SSSD assumes that the Kerberos KDC is also a Kerberos kadmin server. However, it is very common for production environments to have multiple, read-only replicas of the KDC, but only a single kadmin server (because password changes and similar procedures are comparatively rare). To manage this type of configuration, you can use the krb5_kpasswd option to specify where your password changing service is running, or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC in order to change the password. Refer to the sssd-krb5(5) manual page for more information about this and all Kerberos configuration options.
How to Set Up Kerberos Authentication
Edit your /etc/sssd/sssd.conf file to include the following settings:
# A domain with identities provided by LDAP and authentication by Kerberos
[domain/KRBDOMAIN]
enumerate = false
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM
krb5_changepw_principal = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
This example describes the minimum options that must be configured when using Kerberos authentication. Refer to the sssd-krb5(5) manual page for a full description of all the options that apply to configuring Kerberos authentication.

DNS Service Discovery

The DNS service discovery feature allows the Kerberos 5 authentication back end to automatically find the appropriate DNS servers to connect to using a special DNS query. For more information on the DNS service discovery feature, refer to Section 9.2.3.2.4.1, “Using SRV Records with Failover”.

9.2.6.1. Setting up SASL/GSSAPI Authentication

GSSAPI (Generic Security Services Application Programming Interface) is a supported SASL (Simple Authentication and Security Layer) authentication method. Kerberos is currently the only commonly used GSSAPI implementation. An LDAP client and an LDAP server use SASL to take advantage of GSSAPI as the authentication method (an alternative to plain text passwords, etc.). The GSSAPI plug-in for SASL is then invoked on the client and server side to use Kerberos to communicate.
Using GSSAPI protected communication for LDAP is an advanced configuration not supported by the Authentication Configuration tool; the following steps show how to manually configure it.
On the KDC
  1. Using kadmin, set up a Kerberos service principal for the directory server. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
    kadmin: addprinc -randkey ldap/server.example.com
  2. Use the ktadd command to write the service principal to a file:
    kadmin: ktadd -k /root/ldap.keytab ldap/server.example.com
  3. Using kadmin, set up a Kerberos host principal for the client running SSSD. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
    kadmin: addprinc -randkey host/client.example.com
  4. Use the ktadd command to write the host principal to a file:
    kadmin: ktadd -k /root/client.keytab host/client.example.com
On the Directory Server
Complete the following steps for a directory server of your choice:
OpenLDAP
  1. Copy the previously created /root/ldap.keytab file from the KDC to the /etc/openldap/ directory and name it ldap.keytab.
  2. Make the /etc/openldap/ldap.keytab file read-writable for the ldap user and readable for the ldap group only.
Red Hat Directory Server
  1. Copy the previously created /root/ldap.keytab file from the KDC to the /etc/dirsrv/ directory and name it ldap.keytab.
  2. Uncomment the KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:
    # In order to use SASL/GSSAPI the directory
    # server needs to know where to find its keytab
    # file - uncomment the following line and set
    # the path and filename appropriately
    KRB5_KTNAME=/etc/dirsrv/ldap.keytab; export KRB5_KTNAME
On the Client
  1. Copy the previously created /root/client.keytab file from the KDC to the /etc/ directory and name it krb5.keytab. If the /etc/krb5.keytab file exists already, use the ktutil utility to merge both files properly. For more information on the ktutil utility, refer to man ktutil.
  2. Modify your /etc/sssd/sssd.conf file to include the following settings:
    ldap_sasl_mech = gssapi
    ldap_sasl_authid = host/client.example.com@EXAMPLE.COM
    ldap_krb5_keytab = /etc/krb5.keytab (default)
    ldap_krb5_init_creds = true (default)
    ldap_krb5_ticket_lifetime = 86400 (default)
    krb5_realm = EXAMPLE.COM