These are a few notes I gathered together on integrating Windows 2000, RedHat, and HP-UX. they turned out to be the basis for an article I wrote appearing in the December 2001 issue of Sys Admin magazine. The notes provide a guide on how one might get a UNIX system to authenticate to a Windows 2000 box. Basically this is done by setting up your UNIX systems as a Kerberos 5 client and having the Windows 2000 box act as the KDC. The "automatic" authentication is done by using the PAM module pam_krb5 to authenticate everything that goes through the PAM stack by using Kerberos.
The first step is to setup Windows 2000. Each UNIX machine that is going to authenticate using Kerberos 5 must have a user account on the windows machine. Simply add a user and make sure its first name and login name is the host name of that UNIX machine. Make sure the correct domain is selected in the field next to the login name. For example, the UNIX machine "withersa" would get a first name of "withersa", a login name of "withersa@gunet.gonzaga.edu", and "mypass" as a password.
Now that the account has been created the next step is to generate the keytab file. You must first make sure that the Kerberos configuration utilities are installed. It's the package found on the Windows 2000 distribution media under the support/tools directory. To install the package simply run "setup.exe". This package will give you one utility in particular: Ktpass. Simply open a command shell and change to the root directory. To generate the keytab issue the following command:
Believe it or not, setup is complete on the Windows 2000 machine. The next step is to setup the UNIX machine. The following is not platform specific since the configuration file for a UNIX Kerberos client is the same for all platforms.
Under the RedHat Linux platform it is recommended that you install using the "Custom" option. The custom option allows you to specifically select which packages you want installed on your machine. For a RedHat Linux machine you will need the pam_krb5 package and the krb5 workstation package. To check that you have the packages installed login as root and issue the command “rpm -qa | grep krb” you should then see output similar to this:
pam_krb5-1.31-1 krb5-libs-1.2.2-4 krb5-workstation-1.2.2-4
The above three packages come with RedHat 7.1 and they are all that are necessary for the Kerberos client to run properly.
Under an HP-UX 11.0 machine Kerberos 5 and pam_krb5 should already be installed. But on CD 5 of the December 2000 application software release there is an upgrade of the Kerberos 5 software. This package needs to be installed for things to work properly.
Now that any RedHat and HP-UX system has the software properly installed it is time to configure Kerberos 5. There are two main files one needs to be concerned about on a Kerberos 5 client: /etc/krb5.conf and /etc/krb5.keytab. Here would be a sample /etc/krb5.conf configuration:
[libdefaults]
default_realm = GUNET.GONZAGA.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
GUNET.GONZAGA.EDU = {
kdc = dc1-gunet.gunet.gonzaga.edu:88
kpasswd_server = dc1-gunet.gunet.gonzaga.edu:464
}
[domain_realm]
.gonzaga.edu = GUNET.GONZAGA.EDU
This is all you would need on both the RedHat and HP-UX systems. The above section [libdefaults] gives the realm in default_realm = GUNET.GONZAGA.EDU. Then under the section [realms] we define the GUNET.GONZAGA.EDU realm. We give the KDC (Key Distribution Center) with kdc = dc1-gunet.gunet.gonzaga.edu. Note that dc1-gunet.gunet.gonzaga.edu is the active directory server which controls the GUNET.GONZAGA.EDU domain. In order to get Kerberos password changing to work (meaning one can change his/her Windows 2000 password under UNIX) the kpasswd_server flag must be set to the active directory server. This can be a different host under more complicated setups. Also note the specified port numbers for both fields. The next defined section [domain_realm] is used for translation. It contains relations which map subdomains and domain names to Kerberos realm names. For example, on the host withersa.gonzaga.edu notice that the host name does not contain the subdomain gunet.gonzaga.edu (which happens to be our realm). So we need to provide a mapping of .gonzaga.edu = GUNET.GONZAGA.EDU. Note that this section is VERY IMPORTANT and if it’s not provided it can cause a failure to connect to the KDC.
Once the /etc/krb5.conf file is complete the next step is to import the keytab files that were generated on the Windows 2000 server. Simply transport the keytab file (withersa.keytab from the example above) to the UNIX host. Now run the command “ktutil” and you will get a prompt:
ktutil: rkt withersa.keytab ktutil: wkt /etc/krb5.keytab ktutil: q
The first command, “rkt”, reads the file in. If it comes up with an error you might have to provide a full path to the file. The next command “wkt” merges the imported key to the /etc/krb5.keytab file. And finally “q” quits the program.
Now that this has been done one should be able to authenticate to the Windows 2000 machine. This has to be done with the utility “kinit” which fetches a ticket from the Windows 2000 server. Here are some useful Kerberos utilities:
kinit - obtain and cache Kerberos ticket-granting ticket. klist - list cached Kerberos tickets. kdestroy - destroy Kerberos tickets. kpasswd - change a user's Kerberos password.
The next step is get all applications that request authorization to use Kerberos 5. The easy answer to this is pam which is where the pam_krb5 module comes into play. Once the setup has been completed as above the setup for pam is quite simple. On RedHat 7.x systems the pam configuration files are kept inside of /etc/pam.d. In this directory one will notice the myriad of configuration files corresponding to different applications such as imap, login, su, sshd, etc. However, each of these depend upon a master file called “system-auth” and it is this file that needs to be changed:
#%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_krb5.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_krb5.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_krb5.so
Notice that there are four sections to this file. For authentication we need to be concerned with the “auth” section only. Pam acts like a stack, so the modules are ran from top to bottom with the conditions in the second field. The first module simply sets up an enviroment. The second module, pam_krb5, is set to sufficient which means that if the user authenticates with his/her username and password then it returns success and the user is able to login. The third modules is checked but since it’s optional it really doesn’t matter if the user authenticates successfully or not. But if the pam_krb5 module fails then this can allow the user to login provided that his/her account and password match with the /etc/passwd scheme. As an example: if jsmith telnets in and enters a username and password that exists on the Kerberos server then he/she will be able to login. If root telnets in but there is no “root” account on the kerberos server then the pam_unix module will use the username and password that was given to pam_krb5. The pam_unix will see if the root username and password are valid and allow a login if they are indeed valid.
The HP-UX 11.x PAM configuration file is found in /etc/pam.conf. The format is very similar to the RedHat file and the concept is still the same:
# # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass dtaction auth sufficient /usr/lib/security/libpam_krb5.1 dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass ftp auth sufficient /usr/lib/security/libpam_krb5.1 ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass OTHER auth sufficient /usr/lib/security/libpam_krb5.1 OTHER auth required /usr/lib/security/libpam_unix.1 try_first_pass #OTHER auth required /usr/lib/security/libpam_unix.1 # # Account management # login account required /usr/lib/security/libpam_krb5.1 login account required /usr/lib/security/libpam_unix.1 su account required /usr/lib/security/libpam_krb5.1 su account required /usr/lib/security/libpam_unix.1 dtlogin account required /usr/lib/security/libpam_krb5.1 dtlogin account required /usr/lib/security/libpam_unix.1 dtaction account required /usr/lib/security/libpam_krb5.1 dtaction account required /usr/lib/security/libpam_unix.1 ftp account required /usr/lib/security/libpam_krb5.1 ftp account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # # Session management # login session required /usr/lib/security/libpam_krb5.1 login session required /usr/lib/security/libpam_unix.1 dtlogin session required /usr/lib/security/libpam_krb5.1 dtlogin session required /usr/lib/security/libpam_unix.1 dtaction session required /usr/lib/security/libpam_krb5.1 dtaction session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 # # Password management # login password required /usr/lib/security/libpam_krb5.1 login password required /usr/lib/security/libpam_unix.1 passwd password required /usr/lib/security/libpam_krb5.1 passwd password required /usr/lib/security/libpam_unix.1 dtlogin password required /usr/lib/security/libpam_krb5.1 dtlogin password required /usr/lib/security/libpam_unix.1 dtaction password required /usr/lib/security/libpam_krb5.1 dtaction password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1
It is essential that the time on the Windows server
and the time on Unix Machines ( kerberos clients )
match, else the authentication does not work.
The root user cannot change
the password of kerberos users using "kpasswd". The root
user is also prompted for the previous password of the user.
So instead you must change the user's password on windows server.