SSSD is an acronym for System Security Services Daemon. This is a collection of daemons capable of handling authorization, authentication, and user and group information from numerous network sources. SSSD has core support for the following:
- Active Directory
- Kerberos
- LDAP
The NSS and PAM modules provided by SSSD are used to integrate remote sources into the system, allowing the remote users to be recognized as valid users. This information can as well be cached to allow the users to log in to the system even after a network failure.
LDAP(Lightweight Directory Access Protocol) is a protocol used to access and modify X.500-based directory service running over TCP/IP. It can not only be used to edit data stored in Active Directory but also be used with other directory service providers. It shares information about users, networks, systems, services, and applications from a directory service to other applications or services.
Kerberos is a security protocol that is used to authenticate service requests between trusted hosts on a network. It uses cryptographic secret keys and a trusted third party for client-server authentication.
We can use LDAP, SSSD and Kerberos all together on Linux to provide similar functionality to Active Directory. In this guide, we will take a dive into configuring LDAP, SSSD, and Kerberos Authentication on Ubuntu 22.04|20.04|18.04. Here, LDAP will be used for users and groups, and Kerberos for authentication.
Getting Started
This guide requires you to have the following:
- An existing OpenLDAP server installation with RFC2307 schema for users and groups. SSL support is recommended, but not strictly necessary because authentication in this setup is being done via Kerberos and not LDAP.
- A Kerberos server. It doesn’t have to be using the OpenLDAP backend.
- A client host where we will install and configure SSSD for authentication.
My environment has been set up as shown below:
| Task | Server Name | IP address |
| LDAP Server | ldap.geeksforgeeks.org | 192.168.205.2 |
| Kerberos Server | krb5.geeksforgeeks.org | 192.168.205.22 |
| Client(Ubuntu) | client1.geeksforgeeks.org | 192.168.205.11 |
Remember the LDAP and Kerberos do not need to sit on the same server, they can run separately. Once your environment is configured, proceed as shown below.
Step 1 – Install and Configure LDAP Server
The LDAP server will be used to provide users and groups. Set the hostname on the server
sudo hostnamectl set-hostname ldap.neveropen.techNow add the domain name in the /etc/hosts file.
$ sudo vim /etc/hosts
192.168.205.11 ldap.neveropen.techNow, set up the LDAP server, below are some of the guides you can use to set up the LDAP server:
- Install and Configure OpenLDAP Server on Rocky Linux 8 / AlmaLinux 8
- Install and Configure OpenLDAP Server on CentOS 8|RHEL 8
- Install OpenLDAP Server on Debian
- Install and Configure OpenLDAP Server on Ubuntu
Once the server has been installed, we will create a simple user for the test.The LDIF file will contain:
- a node called People (to store users)
- a node called Groups (to store groups)
- a group called Engineering
- a user called john
Create the file as shown:
vim adduser2.ldifAdd the below lines to the file.
dn: uid=john,ou=People,dc=neveropen,dc=com
uid: john
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
sn: Smith
givenName: John
mail: [email protected]
uidNumber: 10001
gidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/john
dn: cn=john,ou=Group,dc=neveropen,dc=com
cn: john
objectClass: posixGroup
gidNumber: 10001
memberUid: john
dn: cn=Engineering,ou=Group,dc=neveropen,dc=com
cn: Engineering
objectClass: posixGroup
gidNumber: 10100
memberUid: john
Now add the content with the command:
$ sudo ldapadd -x -D cn=Manager,dc=neveropen,dc=com -W -f adduser2.ldif
Enter LDAP Password:
adding new entry "uid=john,ou=People,dc=neveropen,dc=com"
adding new entry "cn=john,ou=Group,dc=neveropen,dc=com"
adding new entry "cn=Engineering,ou=Group,dc=neveropen,dc=com"Verify if the information has been added.
$ ldapsearch -x -LLL -b dc=neveropen,dc=com '(uid=john)' cn gidNumber
dn: uid=john,ou=People,dc=neveropen,dc=com
cn: John Smith
gidNumber: 10001When creating the user, we set did not set a password, we want Kerberos to provide the login password for the user in this case.
Step 2 – Install and Configure Kerberos Server
Once the desired server, for this case is an Ubuntu 22 server, we will begin by setting the hostname on the system.
sudo hostnamectl set-hostname krb5.neveropen.techAdd the domain name to the /etc/hosts file.
$ sudo vim /etc/hosts
192.168.205.22 krb5.geeksforgeeks.org krb5Now install the KDC Kerberos Server
sudo apt install krb5-kdc krb5-admin-server krb5-config -yProceed with the installation as below. By default, the domain name will be used as the Realm
Set the Kerberos server(krb5.geeksforgeeks.org)
Set the admin server(krb5.geeksforgeeks.org)
Once the installation is complete, the server will fail to start. Don’t worry about this. Just proceed and configure it.
Configure Kerberos Server
Create a new Realm and set a strong password to be used to encrypt the local database.
sudo krb5_newrealmProceed as below:
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'COMPUTINGFORGEEKS.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: Set master key here
Re-enter KDC database master key to verify: Re-enter master key hereNow create an admin user principal for Kerberos. Login using the command:
$ sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:Create a principal called ubuntu
kadmin.local: addprinc ubuntu/admin
WARNING: no policy specified for ubuntu/[email protected]; defaulting to no policy
Enter password for principal "ubuntu/[email protected]": Enter-Password-Here
Re-enter password for principal "ubuntu/[email protected]": Re-enter-Password-Here
Principal "ubuntu/[email protected]" created.Set a password for the user, add the server to the database, and create a key tab file for the host.
kadmin.local: addprinc -randkey host/krb5.geeksforgeeks.org
kadmin.local: ktadd host/krb5.neveropen.techExit the utility tool.
quitAdd the principal to the access control list. Edit the below file.
sudo vim /etc/krb5kdc/kadm5.aclIn the file, add the below line.
ubuntu/admin * Save the changes and restart the Kerberos services.
sudo systemctl restart krb5-admin-server.serviceNow the service should run:
$ systemctl status krb5-admin-server.service
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-02-12 14:54:47 EAT; 9s ago
Main PID: 3029 (kadmind)
Tasks: 1 (limit: 4629)
Memory: 656.0K
CPU: 64ms
CGroup: /system.slice/krb5-admin-server.service
└─3029 /usr/sbin/kadmind -nofork
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: setsockopt(12,IPV6_V6ONLY,1) worked
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: Setting up RPC socket for address 0.0.0.0.749
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: Setting up RPC socket for address ::.749
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: setsockopt(14,IPV6_V6ONLY,1) worked
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: set up 6 sockets
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: No dictionary file specified, continuing without one.
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: No dictionary file specified, continuing without one.
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: Seeding random number generator
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: starting
Feb 12 14:54:47 krb5.geeksforgeeks.org kadmind[3029]: kadmind: starting...Test the principal user.
$ kinit ubuntu/admin
Password for ubuntu/[email protected]:List the information about the Ticket Granting Ticket (TGT).
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu/[email protected]
Valid starting Expires Service principal
12/02/2023 12:40:52 12/02/2023 22:40:52 krbtgt/COMPUTINGFOR[email protected]
renew until 13/02/2023 12:40:47Now the Kerberos Realm on Ubuntu 22.04|20.04|18.04 is ready to authenticate clients.
Step 3 – Install and Configure SSSD on Ubuntu
For the client to be able to use LDAP for users and groups, and Kerberos for authentication, you need to configure SSD. But first, set the domain name on the client machine
sudo hostnamectl set-hostname client1.neveropen.techEdit the /etc/hosts file to accommodate the Kerberos and LDAP servers.
$ sudo vim /etc/hosts
192.168.205.2 ldap.geeksforgeeks.org ldap
192.168.205.22 krb5.geeksforgeeks.org krb5
192.168.205.11 client1.neveropen.techNow Install all the required packages:
sudo apt update && sudo apt install sssd-ldap sssd-krb5 ldap-utils krb5-user libpam-sss libnss-sss sssd-krb5 -yDuring the installation, you need to make settings that include, setting the Kerberos server domain name(geeksforgeeks.org).
Set the Kerberos server(krb5.geeksforgeeks.org)
The admin server as(krb5.geeksforgeeks.org)
Login using the created admin principal:
$ kinit ubuntu/admin
kinit [email protected]
Password for ubuntu/[email protected]: Obtain the tickets with the command:
ubuntu@client1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu/[email protected]
Valid starting Expires Service principal
12/02/2023 12:45:33 12/02/2023 22:45:33 krbtgt/COMPUTINGFOR[email protected]
renew until 13/02/2023 12:45:29But since we want to login to the system as an LDAP user with Kerberos authentication, we will proceed and configure SSSD by creating the config file as below:
sudo vim /etc/sssd/sssd.confEdit the file as below.
[sssd]
config_file_version = 2
domains = geeksforgeeks.org
[domain/geeksforgeeks.org]
id_provider = ldap
ldap_uri = ldap://ldap.geeksforgeeks.org
ldap_search_base = dc=neveropen,dc=com
auth_provider = krb5
krb5_server = krb5.geeksforgeeks.org
#krb5_kpasswd = krb5.geeksforgeeks.org
krb5_realm = COMPUTINGFORGEEKS.COM
cache_credentials = TrueSet the permissions of the file.
sudo chmod 600 /etc/sssd/sssd.conf Once the settings have been made, start and enable the SSSD service.
sudo systemctl start sssd.service
sudo systemctl enable sssd.serviceVerify that the service is running:
$ systemctl status sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-02-12 15:02:07 EAT; 9s ago
Main PID: 5825 (sssd)
Tasks: 2 (limit: 4575)
Memory: 6.7M
CGroup: /system.slice/sssd.service
├─5825 /usr/sbin/sssd -i --logger=files
└─5826 /usr/libexec/sssd/sssd_be --domain geeksforgeeks.org --uid 0 --gid 0 --logger=files
Gur 12 15:02:07 client1.geeksforgeeks.org systemd[1]: Starting System Security Services Daemon...
Gur 12 15:02:07 client1.geeksforgeeks.org sssd[5825]: Starting up
Gur 12 15:02:07 client1.geeksforgeeks.org sssd_be[5826]: Starting up
Gur 12 15:02:07 client1.geeksforgeeks.org systemd[1]: Started System Security Services Daemon.Enable automatic home directory creation with the command below:
sudo pam-auth-update --enable mkhomedirNow we will use the user on the LDAP server for testing. Configure the client to communicate with the LDAP server:
$ sudo vim /etc/ldap/ldap.conf
....
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldap://ldap.geeksforgeeks.org
BASE dc=neveropen,dc=comNow the LDAP user we created should be known to the system. Check this as shown:
$ getent passwd john
john:*:10001:10001:John Smith:/home/john:/bin/bash
ubuntu@client1:~$ id john
uid=10001(john) gid=10001(john) groups=10001(john),10100(Engineering)But now, we will not be able to log in using this user until we add the principal to the Kerberos server. To do this, use the commands below on the Kerberos server:
sudo kadmin.localNow add the principal:
kadmin.local: addprinc john
Enter password for principal "[email protected]": Set-User-Password
Re-enter password for principal "[email protected]": Re-enter-the-password
Principal "[email protected]" created.Exit the session:
kadmin.local: quitStep 4 – Test LDAP, SSSD and Kerberos Authentication
We have now set the login password for the user on Kerberos, let us test if this is working as desired:
sudo login
klistProvide the password of the principal(john) to be authenticated to the system.
Sample Output:
As seen, we have logged in to the system by LDAP providing users and groups while Kerberos provides authentication. To verify the user details, use the command:
john@client1:~$ id john
uid=10001(john) gid=10001(john) groups=10001(john),10100(Engineering)
john@client1:~$ Conclusion
That marks the end of this detailed guide on how to configure LDAP, SSSD and Kerberos Authentication on Ubuntu 22.04|20.04|18.04. I hope this was informative.
See more on this page:
