I have a problem scenario in an environment where there needs to be an integration with RHEL7 and AD as well as AWS storage gateway file server to allow hybrid cloud setup. So this is a fairly complex troubleshooting that took me 3 working days of reading, debugging, testing aka reverse engineering how existing on-prem only environment was setup by original infrastructure engineer…
1. Create the SPNs for the Linux server in the AD server.
setspn -A host/azlinux001.rakdomain.local@RAKDOMAIN.LOCAL azlinux001
setspn -A host/azlinux001@RAKDOMAIN.LOCAL azlinux001
setspn -L azlinux001
2. Generate the kerberos keytab file in AD. Copy it to azlinux001 host as /etc/krb5.keytab.
!!!IMPORTANT!!! @DOMAIN.NAME is CASE-SENSITIVE
!!!NOTE!!! If the svc-linux-krb service account isn’t there make sure to create it in the AD.
ktpass /princ host/azlinux001.rakdomain.local@RAKDOMAIN.LOCAL /out azlinux001-krb5.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser RAKDOMAIN\svc-linux-krb +rndPass +setupn +setpass +answer
3. Backup the existing default keytab, sssd.conf and krb5.conf file.
cp -av /etc/krb5.keytab /etc/krb5.keytab.bak
# cp -av /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak
# cp -av /etc/krb5.conf/etc/krb5.conf.bak
4. Create another copy of the krb5.keytab in /root directory and merge it with the new keytab generated in step 2.
[root@azlinux001 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = RAKDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
RAKDOMAIN.LOCAL = {
kdc = adserver.rakdomain.local
admin_server = adserver.rakdomain.local
}
[domain_realm]
.rakdomain.local = RAKDOMAIN.LOCAL
rakdomain.local = RAKDOMAIN.LOCAL
aliashostname = RAKDOMAIN.LOCAL
[root@azlinux001 ~]#
5. Configuration that allows kerberos ticket generation based on principal present in /etc/krb5.keytab without passing it to kinit command
[root@azlinux001 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = RAKDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
RAKDOMAIN.LOCAL = {
kdc = adserver.rakdomain.local
admin_server = adserver.rakdomain.local
}
[domain_realm]
.rakdomain.local = RAKDOMAIN.LOCAL
rakdomain.local = RAKDOMAIN.LOCAL
aliashostname = RAKDOMAIN.LOCAL
[root@azlinux001 ~]#
6. Add the sssd.conf file with the following configuration to support multiuser kerberos authentication:
[domain/default]
krb5_canonicalize = false
ldap_id_use_start_tls = false
ldap_access_order = expire
enumerate = True
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_principal = userPrincipalName
krb5_realm = 2K8R2DOMAIN.GSS
krb5_server = ADSERVER.RAKDOMAIN.LOCAL
krb5_kpasswd = ADSERVER.RAKDOMAIN.LOCAL
ldap_uri = ldap://ADSERVER.RAKDOMAIN.LOCAL
ldap_user_home_directory = unixHomeDirectory
auth_provider = krb5
ldap_user_object_class = user
ldap_group_object_class = group
ldap_account_expire_policy = ad
access_provider = ldap
cache_credentials = True
chpass_provider = krb5
ldap_search_base = dc=RAKDOMAIN,dc=LOCAL
id_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/azlinux001.rakdomain.local@RAKDOMAIN.LOCAL
7. Request the kerberos ticket
[root@azlinux001 ~]# kinit -V -k AZLINUX001$
Using default cache: persistent:0:0
Using principal: AZLINUX001$@RAKDOMAIN.LOCAL
Authenticated to Kerberos v5
[root@azlinux001 ~]#
7. Request the kerberos ticket
[root@azlinux001 ~]# kinit -V -k AZLINUX001$
Using default cache: persistent:0:0
Using principal: AZLINUX001$@RAKDOMAIN.LOCAL
Authenticated to Kerberos v5
[root@azlinux001 ~]#
8. Set the request-key utility. The -t option allows to the use of CNAME FQDNS to mount the SMB share.
[root@azlinux001 ~]# cat /etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/sbin/cifs.upcall -K /etc/krb5.keytab -t %k
create dns_resolver * * /usr/sbin/cifs.upcall -K /etc/krb5.keytab-t %k
[root@azlinux001 ~]#
9. Mount the file share
[root@azlinux001 ~]# mount -vv //sgw-4922d720.rakdomain.local/rak-testbucket-002 /mnt/dmp/ -o sec=krb5i,multiuser,vers=3.0
mount.cifs kernel mount options: ip=10.62.48.94,unc=\sgw-4922d720.rakdomain.local\rak-testbucket-002,sec=krb5i,multiuser,vers=3.0,user=root,pass=
[root@azlinux001 ~]#
!!!IMPORTANT!!! SGW-XXXX is your AWS Storage Gateway ID and you MUST mount either with the FQDN or IP Address. DFS namespace shares aren’t supported.
Notes for AD users (Non-root) to access their CIFS shares
- To destroy kerberos tickets as root user
# kdestroy
- To initialize/request the kerberos ticket. (AZLINUX001$ is my hostname here.)
# kinit -V -k AZLINUX001$
- To list the kerberos tickets acquired (NOTE: You won’t get any tickets if krb auth fails)
# klist
NOTE: For non-root users with samba authentication. You simply run kinit and enter your AD password.
References