Re: I've got Winbind working, now I want single-sign-on

"NKG" == Nico Kadel-Garcia <nkadel@xxxxxxxxx> writes:

NKG> On 21 Dec, 02:59, "Richard E. Silverman" <r...@xxxxxxxx> wrote:
>> >>>>> "NKG" == Nico Kadel-Garcia <nka...@xxxxxxxxx> writes:
>>
>>     NKG> I've gotten Winbind working for RHEL 5: many of the
>> published     NKG> notes tend to leave out little details, like the
>> need to enter     NKG> your username as DOMAIN\username unless
>> you've hand-edited     NKG> smb.conf to support '_' as your
>> separator, or to use 'winbind use     NKG> default domain' and
>> avoid the idmap_nss confusion.
>>
>>     NKG> But I'd really like to get it working so that the Windows
>> users     NKG> do *not* have to manually type in passwords. Let me
>> explain that     NKG> I'm dealing with an SSH accessed terminal
>> interface, which works     NKG> fine in Putty, but for which I wish
>> to simplify the user's access     NKG> to it once they've
>> authenticated to their Windows guest box,     NKG> since it's
>> providing Winbind based password handling anyway.
>>
>>     NKG> Has anyone done this? Or are all the "single sign-on"
>> references     NKG> I've found simply referring to single password,
>> not to such an     NKG> automatic authentication technique?
>>
>> Hi Nico,

NKG> Hi, Richard! It's always nice to see your messages.

NKG> I'm in the UK right now, working ona migration of SCO boxes to
NKG> Linux, and would really like to show off how to do things in a
NKG> secure fashion. If this works well, it can also help address the
NKG> Subversion SSH+svnserve issues and people's tendencies to leave
NKG> password free SSH keys lying around on their laptops and
NKG> unsecured boxes. So I've got my fingers crossed that this will
NKG> work well. I've never gotten the traction in previous
NKG> environments to get integration help with the Active Directory
NKG> administrators: now I do. Life is good.

>> If the Windows boxes are part of a domain, then your users have
>> Kerberos credentials once they log in.  You can use them with
>> kerberized SSH to get single-signon.  There is a kerberized version
>> of PuTTY here:
>>
>> http://rc.quest.com/topics/putty/

NKG> The "Active Directory domain users have Kerberos credentials"
NKG> part, I already understood, thanks.

NKG> I hadn't realized that Siman Tatham's version of Putty was not
NKG> Kerberized: I've loved and recommended the standard Putty tool
NKG> for years, and only wish the Linux terminals were anywhere near
NKG> so wonderful.

NKG> I'll test this Putty version out today and see if I have to do
NKG> anything else. If not, woo-hoo! I'll publish notes. There are
NKG> lots of guidelines to how to set up RHEL for Winbind, but they
NKG> seem not to be complete.

>> The SSH server needs to support at least gssapi user authentication
>> -- Quest PuTTY supports kerberized key exchange as well, but that's
>> not strictly necessary for single-signon.
>>
>> You can have the Unix machine be part of the domain (meaning
>> specifically that it needs a host principal in AD and a matching
>> keytab entry on the host).  You can do this by creating a "user" in
>> AD to represent the host, and using the ktpass.exe utility to
>> attach the Kerberos principal to the account and create a
>> keytab.  Alternatively, you can have a separate Kerberos realm for
>> the Unix hosts and establish cross-realm trust with AD.  There are
>> some extra complications going with that route, though.

NKG> I've gotten RHEL 5 boxes registered to the domain with Winbind,
NKG> using RedHat's very friendly "authconfig-gui" or "authconfig-tui"
NKG> tool. RHEL 5 changed the system-config-authentication tool to not
NKG> call up any gui if you run it directly, only to present you with
NKG> a list of command line arguments. I recommend authconfig-gui:
NKG> the error messages if you fail to join a domain flash by far, far
NKG> too quickly on the authconfig- tui, so you never know what
NKG> failed.

NKG> These machines are using Winbind for both authentication and
NKG> account configurations, so the RHEL boxes are now listed among
NKG> the "Hosts" in the Active Directgory configuration tools. I'm
NKG> able to log in using the Windows account names and passwords this
NKG> way for users not in the RHEL box's /etc/passwd files, so I'm
NKG> good there.

I haven't used Winbind, so I don't know the details; however, for sshd
to work with Kerberos, you need the host principal key (host/fqnd@REALM)
in the system keytab (usually /etc/krb5.keytab).

NKG> It leads to some oddness: the "groups" of Windows users can have
NKG> spaces in the names, so the default group of "Domain Users"
NKG> becomes "domain users" and makes for confusing output. I may have
NKG> to tweak some old scripts to use "ls -n" to deal with this.

NKG> A separate Kerberos realm sounds like a great deal of pain for
NKG> the relatively small environment I'm in: I really don't want to
NKG> go there. Maintaining another Kerberos server when there is
NKG> already an Active Directory server running for other reasons
NKG> seems.... like putting another door on the barn, and then trying
NKG> to lock *that*. If I needed to actually have a separate barn for
NKG> the Linux environment, I'd consider it.

NKG> And oh, yes! Andrew Tridgell and Jeremy Allison in the Samba
NKG> world just announced a deal that provides Samba developers with
NKG> access to Microsoft's actual protocols for Active Directory, so
NKG> we can expect to see better integration for Samba. And
NKG> potentially related SSH authentication questions, as I'm
NKG> encountering.

--
Richard Silverman
res@xxxxxxxx

.

Relevant Pages

  • Re: Ive got Winbind working, now I want single-sign-on
    ... NKG> notes tend to leave out little details, ... NKG> smb.conf to support '_' as your separator, or to use 'winbind use ... If the Windows boxes are part of a domain, then your users have Kerberos ... that it needs a host principal in AD and a matching keytab entry on the ...
    (comp.security.ssh)
  • Re: Backk to the single sign-on problem with Active Directory and RHEL 5
    ... NKG> OK, I've got the RHEL 5 box registered in the Active Directory ... NKG> Kerberos based logins. ... There are two places where SSH may be kerberized: server and client ...
    (comp.security.ssh)
  • Re: Ive got Winbind working, now I want single-sign-on
    ...     NKG> notes tend to leave out little details, ...     NKG> But I'd really like to get it working so that the Windows users ... The "Active Directory domain users have Kerberos credentials" part, ...
    (comp.security.ssh)