Ubuntu Server Guide
Note If you have added the appropriate SRV records to DNS, none of those prompts will need answer- ing. Configuration
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
|
Note
If you have added the appropriate SRV records to DNS, none of those prompts will need answer- ing. Configuration If you missed the questions earlier, you can reconfigure the package to fill them in again: sudo dpkg− reconfigure krb5−config. You can test the kerberos configuration by requesting a ticket using the kinit utility. For example: $ k i n i t ubuntu /admin@EXAMPLE .COM Password f o r ubuntu /admin@EXAMPLE .COM: Note kinit doesn’t need for the principal to exist as a local user in the system. In fact, you can kinit any principal you want. If you don’t specify one, then the tool will use the username of whoever is running kinit . Since we are at it, let’s also create a non-admin principal for ubuntu: $ kadmin −q ” a d d p r i n c ubuntu ” A u t h e n t i c a t i n g a s p r i n c i p a l ubuntu /admin@EXAMPLE .COM with password . Password f o r ubuntu /admin@EXAMPLE .COM: WARNING: no p o l i c y s p e c i f i e d f o r ubuntu@EXAMPLE .COM; d e f a u l t i n g t o no p o l i c y Enter password f o r p r i n c i p a l ”ubuntu@EXAMPLE .COM” : Re−e n t e r password f o r p r i n c i p a l ”ubuntu@EXAMPLE .COM” : P r i n c i p a l ”ubuntu@EXAMPLE .COM” c r e a t e d . The only remaining configuration now is for sssd. Create the file /etc/sssd/sssd.conf with the following content: [ s s s d ] c o n f i g _ f i l e _ v e r s i o n = 2 s e r v i c e s = pam domains = example . com [ pam ] [ domain / example . com ] i d _ p r o v i d e r = proxy proxy_lib_name = f i l e s a u t h _ p r o vi d e r = krb5 k r b 5 _ s e r v e r = kdc01 . example . com , kdc01 . example . com krb5_kpasswd = kdc01 . example . com krb5_realm = EXAMPLE.COM The above configuration will use kerberos for authentication (auth_provider), but will use the local system users for user and group information (id_provider). Adjust the permissions of the config file and start sssd: 181 $ sudo chown r o o t : r o o t / e t c / s s s d / s s s d . c o n f $ sudo chmod 0600 / e t c / s s s d / s s s d . c o n f $ sudo s y s t e m c t l s t a r t s s s d Just by having installed sssd and its dependencies, PAM will already have been configured to use sssd, with a fallback to local user authentication. To try it out, if this is a workstation, simply switch users (in the GUI), or open a login terminal (CTRL-ALT- logging in using the name of a kerberos principal. Remember that this user must already exist on the local system: $ sudo l o g i n f o c a l −krb5−c l i e n t l o g i n : ubuntu Password : Welcome t o Ubuntu F o c a l Fossa ( development branch ) (GNU/ Linux 5.4.0 −21 − g e n e r i c x86_64 ) ( . . . ) Last l o g i n : Thu Apr 9 2 1 : 2 3 : 5 0 UTC 2020 from 1 0 . 2 0 . 2 0 . 1 on p t s /0 $ k l i s t T i c k e t c a c h e : FILE : / tmp/ krb5cc_1000_NlfnSX D e f a u l t p r i n c i p a l : ubuntu@EXAMPLE .COM V a l i d s t a r t i n g E x p i r e s S e r v i c e p r i n c i p a l 04/09/20 2 1 : 3 6 : 1 2 04/10/20 0 7 : 3 6 : 1 2 k r b t g t /EXAMPLE.COM@EXAMPLE.COM renew u n t i l 04/10/20 2 1 : 3 6 : 1 2 And you will have a Kerberos ticket already right after login. Download 1.23 Mb. Do'stlaringiz bilan baham: 
|