Ubuntu 14.04 Ultimate Server Guide

Part 4: Kerberos

It’s time to install and configure Kerberos.

sudo apt-get install krb5-kdc krb5-admin-server

The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:

sudo krb5_newrealm

There will be a slight delay whilst the server gathers enough random data to continue (if you have a mouse connected to the server, you will dramatically speed up this process by moving it in circles now) then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.

To configure Kerberos for NFS later, we’ll need to create an admin user.

sudo kadmin.local

The following output should be observed:

Authenticating as principal root/admin@DANBISHOP.ORG with password.
kadmin.local:

Enter the following:

addprinc dan/admin

Enter a password when prompted, then quit:

WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy
Enter password for principal "dan/admin@DANBISHOP.ORG": 
Re-enter password for principal "dan/admin@DANBISHOP.ORG": 
Principal "dan/admin@DANBISHOP.ORG" created.
kadmin.local: quit

We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following:

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:

sudo service krb5-admin-server restart

Now we can test everything has worked with:

kinit dan/admin

Enter the password you set when requested then run klist:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan/admin@DANBISHOP.ORG

Valid starting     Expires            Service principal
02/05/11 19:57:24  02/06/11 05:57:24  krbtgt/DANBISHOP.ORG@DANBISHOP.ORG
	renew until 02/06/11 19:57:21

If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm 🙂

To ensure that all services (samba for windows clients in particular) that might like to use your Kerberos realm in the future can do so, you should add your realm information to /etc/krb5.conf like so:

[libdefaults]
	default_realm = DANBISHOP.ORG

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
        DANBISHOP.ORG = {
                kdc = neo.danbishop.org
                admin_server = neo.danbishop.org
                master_kdc = neo.danbishop.org
                default_domain = danbishop.org
        }

Congratulations, you have a fully functional Kerberos domain!

Authentication on the Server

Although we don’t have any domain users yet (that comes in step 6!) we can set the server up to accept them for login now that we have LDAP and Kerberos up and running.

This is done using SSSD.

sudo apt-get install sssd

SSSD is essentially magic. It will set it self up from everything else we’ve already configured at this point… sometimes. Whilst SSSD now has everything it needs, I have found that the install scripts frequently fail to output the config file. Since you were probably going to make a couple of changes anyway, this isn’t a big deal. We can create it ourself like so:

sudo nano /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = danbishop.org

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/danbishop.org]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://ldap.danbishop.org
ldap_search_base = dc=danbishop,dc=org
ldap_sudo_search_base = ou=sudoers,dc=danbishop,dc=org
ldap_tls_reqcert = never

krb5_kdcip = kerberos.danbishop.org
krb5_realm = DANBISHOP.ORG
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_renewable_lifetime = 5d

In order for sssd to start correctly, the config file needs to be readable only by the root user, if the file already existed when you went to edit it, this step shouldn’t be necessary, but just in case:

sudo chmod 600 /etc/sssd/sssd.conf

Now we can restart sssd and you should be able to login at the terminal as one of your LDAP/Kerberos users:

sudo service sssd restart

Kerberised SSH

As kerberos logins now work on the server, you might want to enable kerberised ssh so that when users are logged into client machines, a simple “ssh neo” will have them logged straight in without requiring their password again.

First edit /etc/ssh/sshd_config and change GSSAPIAuthentication from no to yes. Leave all other Kerberos options as their defaults.

sudo nano /etc/ssh/sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Now we need to create a kerberos principal for the SSH service to use:

sudo kadmin.local -q "addprinc -randkey host/neo.danbishop.org"
sudo kadmin.local -q "ktadd host/neo.danbishop.org"

Reload the SSH configuration and you’re done!

sudo service ssh reload
  • Florent

    Hi Dan !
    Thank you for your great work, as usual 🙂

    I have an error on part 7, like another follower of your 12.04 guide (http://www.danbishop.org/2012/06/02/ubuntu-12-04-ultimate-server-guide/#comment-1552860993).
    Command kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)” failed with :
    Authenticating as principal dan/admin with password.
    kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface

    Moreover, after restart sssd, it is impossible to connect to LDAP user with su, and getent passwd only shows local user.
    I think there is a problem between client and server. Evertyhing works fine on server side, and client can ping server through kerberos.domain.local and ldap.domain.local.

    Thank you for your help

    • danbishop88

      Hi Florent,

      Try appending -s kerberos.domain.local to that command and see what happens. It looks like you’re customising some parts of the guide for your own environment, but not others… it’s possible that your /etc/krb5.conf file on the client is wrong.

      I’m hoping to have a way of doing all of this using puppet going very soon. I’m almost there and will hopefully publish in the next couple of weeks. That should eliminate all the problems people are having by varying parts of the guide for their environment, but not others.

      Dan

      • Florent

        Thank you very much for your answer.
        I reinstall server & client. No customising except domain (domain.local) and kerberos username as florent/admin. On the client side, sudo dpkg-reconfigure krb5-config only ask realm but server and admin server where difined during installation. My /etc/krb5.conf file seems to be good. My domain isn’t defined in [domain_realm] but it is in [libdefaults]. Servers name are in top of [realms] (kdc and admin_server).
        Is there au place where krb logs ?

        Thanks again.
        Florent

    • Hi Florent,

      i run accoss the same problem as you have, after several tryout found out that you need to point you DNS Client into IP of Server.

      ie. DNS Client is : 8.8.8.8 from Network Manager, then you change to 192.168.1.100 (IP of Ubuntu Server)

      and voila :)… Hope this helps !

    • aqw

      I also got this error and solved it by adding 192.168.0.2 kerberos.danbishop.org to /etc/hosts of the client machine

    • OleHoppe

      Solved this issue by editing /etc/nsswitch.conf on the client (kubuntu 16.04.2). Modify “hosts” line to read:
      hosts: files dns
      HTH

  • Marco

    Hi Dan, thanks for this beatifoul guide

    i try many times your guide but have some problem

    server configure as your guide
    when try login from a configured client (using server username) it log succesfull but unable to mount home directory

    “Could not chdir to home directory /home/fabio: No such file or directory”

    check and check again but still this problem….

    can you help me?

    • Marco

      I have only linux (debian) pc, i’m interested central accounting and share users home directory… samba in future (now not important)

      ubuntu 14 server configure as your VERY clear guide (and thanks!!)
      i’m able lo ssh login on server using LDAP user accounts and is fantastic

      then want allow login from clients, pc… configure as guide… login is accepted but NO home directory mounted

      how i can debug where problem is?

      Sorry for my english

      • GuiSenges

        Hello Marco,

        I got the same problem. Any news? I’ve double checked this tutorial multiple times and everthing seems ok…

        • GuiSenges

          Small Update: When running automount in verbose mode I get “mount(nfs): no hosts available”. NFS server is up and running…Very strange…

        • GuiSenges

          Ok, I figured it out: Ports 111 and 2049 both TCP and UDP needs to be openned….Thanks for the excelent tutorial Dan!

        • Marco

          In my case there was no firewall…

        • Marco

          Problem solved, was a problem with reverse resolution… because i have an existing bind dns server and need use it, can’t use dnsmasq. Now NFS/kerberos works perfect!!
          Tanks for this perfect, clean guide DAN!!

          Now going on to configure samba, but i have a problem again (sorry!!): windows PC can see samba share but can join to samba domain. When try to join samba domain from a windows pc, it ask user name and password (i use my user (domainuser) with net rpc rights grant) but give me an error… each username and password i try to use same error…

    • Hi Marco,

      i have the same situation as you are, can you help me out the solutions here ?

  • Marco

    Hi again,
    i have this strange problem:

    if i reinstal ubuntu on server, add again ldap users, kerberos etc etc (as in this guide)

    clients can’t mount their home using nfs

    try to login one from client, perform again:
    kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)”
    sudo kadmin -p dan/admin -q “ktadd nfs/$(hostname -f)”
    but nothink happens

    if i reinstall ubuntu on client pc, follow client configuration (of this guide) all return perfect working

    I think problem is Kerberos, but how to solve this problmem when i reinstall OS on server?
    try to remove nfs princ from server but not solution

    any advices?
    thanks

    • Hi Marco,

      happens to be the same issue with me as well,
      but instead of reformatting ubuntu client, here are what i did :

      apt-get purge –remove krb5-user -y
      REBOOT NOW !

      apt-get install krb5-user -y
      dpkg-reconfigure krb5-config

      sudo kadmin -p dan/admin -q “addprinc -randkey nfs/$(hostname -f)”
      sudo kadmin -p dan/admin -q “ktadd nfs/$(hostname -f)”

      REBOOT NOW !

      and you can easily login with your domain users credentials 🙂

      (PS : your guess is right it is somehow connected to Kerberos, but no need to remove nfs princ 🙂

      • Marco

        Hi,
        thanks for this solution!

  • Steve Thompson

    Hi,
    Thanks for the great guide. I have a question about this setup – I also had this problem with the 12.04 guide. In both, you set neo to have a static IP and then you configure dnsmasq to use Google’s public servers. At no point, as far as I can see, do you tell neo which DNS servers to use which means it has no DNS. I’ve added dns-nameservers 127.0.0.1 to the static config to get round this but I can’t figure out if I’m missing something in the instructions that would make this unnecessary?

    Thanks

  • Hi Dan, just a quick correction,

    on Page 6
    there is something like

    #BINDPWDFILE=”/etc/ldapscripts/ldapscripts.passwd”

    it should be not comment (remove the hashtag)

    otherwise it will come out results

    “Unable to read password file , exiting…”

    But overall this is Awesome tutorials :))

    • Thanks Adhi… I had the same issue. Great guide by the way, Dan 😀

  • Marco

    Hi, i have new problem

    new workstation wit Windows 10 need to be joined to Samba

    not no succes 🙁

    no problem when add windows7 macchines

  • Ian Carey

    The package ldapscripts didn’t work for me. I used ldap-account-manager instead.

    For Samba, by default you get Samba 4. Your command “adminlocal@neo:$ net rpc rights grant -U dan “danbishop.orgDomain Admins” SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege” is depreciated and will not work with Samba 4.

    Fix is a new syntax below.

    net sam rights grant “danbishop.orgDomain Admins” SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege -Udan

    Other than those two things I have it all up and running perfectly. Thank you Dan!

  • Jheguy2

    I’ve been getting the error:
    Error adding group domainadmins to LDAP
    every time I try and create a new group. I’ve checked the logs and they are returning:
    ldap_add: No such object (32)
    If anyone could help me I would be more than grateful. Thank you.

    • Pekka R.

      Had similar problem. Did not check the logs, so not completely sure if same problem.
      I commented line BINDDN=”cn=Manager,dc=example,dc=com” from

      /etc/ldapscripts/ldapscripts.conf
      since similar line was already added for actual DN by Dan’s instructions.

    • Dheeraj Bharat Sethi

      Hi there, In just faced the same issue, can you please let me know the solution for the same?
      Thanku

      • Dheeraj Bharat Sethi

        Got it resolved, adding password by vi was causing the issue.

  • Olivier Dir

    hi all after client install (ubuntu 14.04) without error
    i don’t found domainadmins with command getent group
    how do to debug this point ?

    where is the log file for see if there are a problem ?

    thank for your help

  • Marco

    All works fantastic (10months perfect working)
    but now i have new workstation with windows10 preinstalled, want join them tho ubuntu domain
    follow same guide than win7 but win10 give me an error, not join into domain giving an error (unable to contact domain)

    any help?

  • Kleder Osodarck

    Hello Dan!

    First thanks for the great tutorial!

    I’m using your guide to build an GNS3 network for a college project, the problem is I have to join Windows XP and 2000 machines in the domain, any information or direction on how to do so will be really appreciated! below is the error I’m receiving in a Windows XP machine:

    error 0x000005B4 ERROR_TIMEOUT

  • John Christensen

    I am not having luck getting Windows 7 to connect to the Samba DC. The error I am getting says that windows was trying to contact the SRV record for _ldap._tcp.dc._msdcs.. I added a SVR record to dnsmasq.conf and pointed the requests to ldap. on port 398. Now I am getting an error from Windows that the domain controller at ldap. could not be reached. Any thoughts on why this is not working for me?

  • TC

    On Ubuntu 15.10, I failed at Step 6, “sudo ldapaddgroup domainadmins”. In /var/log/ldapscripts.log, the error message is ldapadd: invalid format (line 1) entry “”. It turns out it is a bug in ldapscripts—it fails in some locales. For more information, read this:

    https://github.com/martymac/ldapscripts/issues/3

    You can fix this bugs by these commands:

    sudo su
    LC_ALL=C ldapaddgroup domainadmins
    LC_ALL=C ldapaddgroup domainusers
    LC_ALL=C ldapadduser csatc2002 domainadmins
    LC_ALL=C ldapaddusertogroup csatc2002 domainusers

    Just my two cents, and hope it helps.

  • Thanks a lot, Dan.
    I migrated the authentication of a cluster of machines with Ubuntu 14.04 from NIS to LDAP+Kerberos and it worked great. I tried to follow the instructions for SingleSignOn from the Ubuntu Help but it was very complicated, didn’t explain some concepts and contained some “magical” instructions. This guide help me figure out what I needed to do.

  • Srinath Bk

    Hi Dan,

    thanks for the excellent tutorial.

    I cannot use DHCP server for my setup since, there is already another DHCP server in the LAN. I would like to use static IP for both server and clients. Can you please suggest what needs to be changed?

    regards,
    Srinath

  • Dheeraj Bharat Sethi

    Hi dan,
    Thanku so much for the guide.
    been stuck on last step. when trying to login via the new ldap user.
    “No passwd entry for user”
    When trying to add passwd, “user does not exist”
    What is going wrong here?
    Thanku

  • Dheeraj Bharat Sethi

    Getting Permission Denied via SSH for the Ldap user added , and Incorrect Login via server login

  • Hello Dan,

    Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a
    LDAP Browser is not a very user-friendly way for managing a large number
    of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it
    requires 389 Directory Server, and we don’t use that in our environment
    (for good reasons)

  • Bineural juls

    Hi, i think all its working ok, but as sson as i login by ssh with user i have this error.. Could not chdir to home directory /home/robert: No such file or directory
    And localy on the machine this one:
    No directory, logging in with HOME=/
    I can see the problem is that my home is not working.. but i dunno how to solve this.
    Any idea please?
    Thanks a lot

  • Pekka R.

    Salut!
    This is still the most clear and complete guide to set up a small company network environment with servers. I can not find better. And I have looked around. Just bloody exellent. “Ultimate” describes this well.
    Did finally have time to look at chapter 10. Just wondering what does mean “In this case a stock install of 12.04 server is being used” in this context.

    Dan? Does it mean a copy of the primary server installation that I could make with dd command and then twist around the dnsmasq configuration file?

    Maybe safest option is to start installing server from the start and follow up the master server setup instructions untill this point. I expect that the /etc/dnsmasq.conf file will be mirror of the master dnsmasq server regarding to ip-adresses and host names. Will start playing with image copied with dd first.

    Many thanks to Dan for giving this to public domain. To boil up this kind of instruction set so, that it is also comprehensible, must have taken a ton of work.

  • Gin

    Great guide and working one 🙂
    Any chance to update same tutorial for Ubuntu 16.04? Or maybe a little help pls. Things seems working till samba setup. First of all in Ubuntu 16.04 libpam-smbpass was removed. So I add user manually for krb and samba using same credentials (even account for machine in some tests). When i try to join an Windows 7 to domain I got follow error:
    “The join operation was not successful. The could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Use a different computer name or contact your administrator to remove any stale conflicting raccount. The error was: Access is denied.”
    Ldap log:
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 fd=20 ACCEPT from IP=xxx.xxx.xxx.xxx (IP=0.0.0.0:389)
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 op=0 BIND dn=”” method=163
    Jan 31 13:58:59 dcdoxmain slapd[1539]: SASL [conn=1052] Failure: GSSAPI Error: An unsupported mechanism was requested (Unknown error)
    Jan 31 13:58:59 dcdoxmain slapd[1539]: conn=1052 op=0 RESULT tag=97 err=49 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
    Samba shares could be accessed from Windows 7 using same credentials.

  • Marco

    Hi again DAN, thanks again for this beatifoul guide… i’m using it in my office and works like a charm!!
    I’m really happy to have Win7 and Linux (debian) with distributed logins, home directories!
    Now i really have a bit headache trying join new windows 10 pro macchines to samba domain… i try many many different samba configuration but no solution.
    You know any solution?

    Thanks