Debian Jessie, Kerberos, Cross-Forest AD authentication and all that pam_regex
Had a need to allow users of forest FOREST-B to authenticate to Linux machines of forest FOREST-A. More of that, needed to grant them sudo access. Google-foo didn't help much as most people just need to authenticate their users inside one forest (which is well-covered already and pretty standard setup anyway). Poking around PAM and Kerberos eventually helped me to complete the task.
I didn't manage to implement the authentication of FOREST-B users based on their Active Directory group membership in FOREST-A though, but one can only have that much luck (didn't have the task anyway). If someone has managed to do that, please let me to know in comments.
I didn't manage to implement the authentication of FOREST-B users based on their Active Directory group membership in FOREST-A though, but one can only have that much luck (didn't have the task anyway). If someone has managed to do that, please let me to know in comments.
When Cross-Forest trust is established between two domains, the special OU called Foreign Secuity Principals is created in both forests. This OU contains security principals of trusted domains. So when you add user testuser of FOREST-B to the AD-group of FOREST-A, the foreign security principal linking to testuser is created in that OU. Obviously, FSP auth relies heavily on Kerberos. So our Linux box needs to consult with DCs of trusted forest defined in krb5.conf.
Why do we need Samba and winbind then, if Kerberos can do the trick? Unfortunately, sudo is only able to resolve user and group permissions of local uids and gids, so we have to idmap 'em via winbind to add to sudo group later aaaand that's why we need our Linux box joined to domain.
There's also another caveat I came across. When I SSHed to Linux box with testuser@FOREST-B.COM name (to initiate Kerberos auth in foreign principal domain), I found out that my user had login in form of FOREST-B\testuser. (the way winbind maps users if separator isn't changed). What's the big deal anyway? The deal is when you try to sudo that user and authenticate him via kerberos once again, the pam_krb5 module receives username in wrong format and therefore is not able to figure out how to authenticate him. So I had to find a way to transform the username somehow right before it was fed to pam_krb5 of sudo check.
That's when the magnificent pam_regex module comes in. Its documentation says it is capable of transforming the username via regular expression defined by you just before the next PAM module kicks in. Souns like what I needed, yeay!
Seems like I'm gonna do it nice and professional after all:
Seems like I'm gonna do it nice and professional after all:
Anyway, let's roll. So these are the steps we need to do: alter our SSH config to allow Kerberos auth; download, compile and install pam_regex module; alter our PAM configuration; alter smb.conf and krb5.conf files; add user to local sudo group (or any local group you like to give sudo permissons to).
The setup:
- Cross-Forest Active Directory trust between FOREST-A and FOREST-B
- Standard Debian Jessie Linux with FQDN trust.forest-a.com
- winbind and samba 4.5.2 joined to domain in FOREST-A
- pam_regex 2.0 module compiled and installed
- pam_krb5 module
- User testuser@FOREST-B who needs to be authenticated in FOREST-A and granted sudo access.
I'm not going to cover the initial configuration of Debian and Samba 'cause there are so many guides and how-tos out there already. I assume that Kerberos is working fine, PTR resolves correctly, time is consistent across all servers and users of FOREST-A are able to authenticate via Kerberos to trust.forest-a.com. And you have established two-way trust with foreign forest, haven't you?
0. Add your FOREST-B user account to sudo group.
1. Set up your smb.conf file to map users from two realms. I used ids 50000 to 70000 to map users from parent domain and reserved ids 70001 to 80000 for mapped users from FOREST-B.
2. Set up you krb5.conf file for two realms.
0. Add your FOREST-B user account to sudo group.
adduser FOREST-B\\testuser sudo
1. Set up your smb.conf file to map users from two realms. I used ids 50000 to 70000 to map users from parent domain and reserved ids 70001 to 80000 for mapped users from FOREST-B.
2. Set up you krb5.conf file for two realms.
3. Modify your basic PAM rules in /etc/pam.d/: common-auth, common-password and common-account. Your files most certainly differ, but you need pam_krb5 module to be listed to allow Kerberos. I don't need Kerberos to auth my local Linux users, so I added minimum_uid=10000, I also used alt_auth_map parameter to be able to login in form of testuser@forest-b.com, not in form of testuser@FOREST-B.COM. I didn't need any special rules, so I left Kerbereos and local Unix authentication only.
4. Modify you /etc/pam.d/sudo file.
First, pam_if_succeed checks that uid is less than 70000 so my FOREST-A.COM mapped accounts won't get checked against Kerberos again. If it failes than pam_krb5 comes at work with transform directive, which actually transofrms user string from FOREST-B\testuser to testuser@FOREST-B.COM. Finally, the transformed user string is fed to standard PAM stack we defined previously.
5. In the last step you need to make sure Kerberos authentication is enabled in your sshd_config file and UsePAM directive is set to Yes. Here's the snippet of my working sshd config. I only allow users of sudo to login via ssh.
If everything is done right, here is what you should get after SSHing and subsequent sudoing
Link to pam_regex author's website, you can get the sources here
No comments:
Post a Comment