Authenticating OpenBSD against Active Directory

Solution 1:

Preface

Authenticating against Active Directory with Kerberos is pretty simple on systems using PAM, but OpenBSD doesn't and makes it more difficult. From a tcpdump, it looks like the PAM systems are just doing pre-authentication while OpenBSD's bsd_auth system is using the whole Kerberos authentication process.

Anyway, this took me a while to figure out so hopefully some concise instructions will save you time.

A few quick notes before we begin:

  • Users must exist on the OpenBSD system before attempting to login. They are not autocreated.
  • If you want users autocreated, look into Samba/Winbind. I've had nothing but trouble (inexplicable crashes, serious log spamming, unreliable authentication) from it, so I only use it when I have to.
  • This was tested on OpenBSD 4.5 and Windows Server 2003. I'm pretty sure it'll work with Win2k, but YMMV.
  • This version of OpenBSD uses Heimdal 0.7.2. Everything here aside from the paths and login.conf stuff will probably work on other *nixes running the same Heimdal, but again, YMMV.

Instructions

These steps assume you are trying to authenticate [email protected] against the domain EXAMPLE.COM. The domain controller is pdc.EXAMPLE.COM.

  1. Create an Active Directory User account named myhost (that's not a typo, these instructions won't work with a Computer account). Disable password expiration and don't let the user change its own password. Set the password to whatever you like - it'll be changed soon.

  2. It's probably a good idea to create the User account under a new OU, remove it from the Domain Users group and add it to a dedicated group. This is all a matter of taste and your security layout.

  3. On pdc.EXAMPLE.COM, download and install Windows Server Support Tools (specifically, you'll need ktpass.exe)

  4. On pdc.EXAMPLE.COM, run:

    ktpass -out c:\temp\myhost.keytab -princ host/[email protected] -mapuser myhost -pType KRB5_NT_PRINCIPAL +rndpass

    This updates the myhost user's password to something random (+rndpass), maps the Kerberos principal "host/[email protected]" to the user "myhost" in Active Directory, and then dumps the principal and private key info into the -out keytab file.

  5. Securely copy c:\temp\myhost.keytab to myhost and delete the file from pdc.EXAMPLE.COM

  6. On myhost, add the AD keytab to your main keytab:

    ktutil copy /path/to/myhost.keytab /etc/kerberosV/krb5.keytab

  7. Configure /etc/krb5.conf. Below is the bare minimum that you need. There's a lot of options available, take a look at the manpage for more details. This just sets the maximum acceptable clock skew to 5 minutes, makes EXAMPLE.COM the default realm, and tells Kerberos how to translate between DNS and Kerberos realms.

    [libdefaults]
    clockskew = 300
    default_realm = EXAMPLE.COM

    [realms]
    EXAMPLE.COM = {
    default_domain = EXAMPLE.COM
    }

    [domain_realm]
    .EXAMPLE.COM = EXAMPLE.COM

  8. Verify that you can get a ticket:

    # kinit [email protected]
    [email protected]'s Password:
    # klist
    Credentials cache: FILE:/tmp/krb5cc_0
    Principal: [email protected]

    Issued Expires Principal
    Jun 4 21:41:05 Jun 5 07:40:28 krbtgt/[email protected]

  9. Modify /etc/login.conf to use Kerberos authentication. Your exact login.conf configuration will vary depending on how you use your system, but to go from a vanilla install to using Kerberos, just edit and comment this line under the default login class:

    :tc=auth-defaults:\

    And add above it:

    :auth=krb5-or-pwd:\

    This checks Kerberos first unless the user is root. If Kerberos fails, it will use local passwords.

  10. Add the users you'd like to authenticate on this host. Leave the passwords blank unless you want them to be able to use both Active Directory and local passwords (not recommended).

    You can blank existing users' passwords "chpass <user>" and replacing the "Encrypted password:" value with an asterisk (*)

  11. Test SSH and Sudo. Both should work flawlessly with your Active Directory credentials.

That's all there is to it.

Links

A couple useful sites:

  • Step-by-Step Guide to Kerberos 5 Interoperability | Microsoft Docs
  • Creating a Kerberos service principal name and keytab file | IBM Knowledge Center

Solution 2:

An update to the instructions above as a few things have changed since then.

In OpenBSD 5.6, a decision was made to remove Heimdal from the base distribution due to concerns about code quality and nobody being willing to spend the time to audit it. In 5.7 it was made available as a package (For 5.6 you'll need to build from source or figure out how to re-enable it in source). So, before following the instructions above, the following additional steps will need to be completed:

-3. Install the heimdal and login_krb5 packages from your favourite mirror.

-2. Copy /usr/local/libexec/auth/login_krb5* to /usr/libexec/auth.

-1. If you intend to use the heimdal tools a lot, add /usr/local/heimdal/bin to your system path. Otherwise, be sure to reference the tools with their full path when using them.

Also, the krb5.conf and krb5.keytab files go into /etc/heimdal now.