Login name to Kerberos principal name translation using auth_to_local

0
votes

I am attempting to translate "local login names" to a specific Kerberos principal name. On the Kerberos server, principals for the users are stored in the format of: <username>/<group>@<REALM>.

For example, I would like the login name testUser1 to be translated to the principal name: testUser1/[email protected]

The reason I would like to use this format is so that I can enforce Kerberos access control for users part of specific groups via the kadm5.acl file. Only users within the Admins group should be authorized to create Kerberos principals.

The system is comprised of 3 separate servers: KRB-Server (krb-server.home.com), SSH-Server (ssh-server.home.com), and LDAP-Server (ldap-server.home.com). All servers are running Ubuntu 16.04. The KRB-Server is running KRB5 1.16-2 from the zodops/ubuntu-backports repository. The SSH-Server is using SSSD to enable authentication/authorization using the Kerberos authentication server and the LDAP identity/authorization server.

I have attempted to perform local user name to Kerberos principal mappings using rules defined in the auth_to_local option. 

RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//

From what I understand the first section of the rule:

[2:$1/$2@$0]

Will match the kerberos principals with two components and translate it to the format <first component>/<second component>@<realm>

The next section (.*/[email protected]) will match the result of the first section and proceed to the third and final replacement expression section which will remove the second component and realm from the principal name.

s/\/Admins@HOME\.COM//

This should translate the Kerberos principal name "testUser1/[email protected]" to the local login name "testUser1". However, this configuration does not appear to be taking effect.

The configuration files are as follows:

/etc/krb5.conf on krb-server.home.com

[libdefaults]
    default_realm = HOME.COM

[realms]
    HOME.COM = {
        kdc = krb-server.home.com
        admin_server = krb-server.home.com
        master_kdc = krb-server.home.com
        default_domain = home.com
        database_module = openldap_ldapconf

        auth_to_local = RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//
        auth_to_local = DEFAULT         
    }

[domain_realm]
    .home.com = HOME.COM

[dbdefaults]
    ldap_kerberos_container_dn = cn=krb5,dc=home,dc=com

[dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_kdc_sasl_mech = EXTERNAL
        ldap_kadmind_sasl_mech = EXTERNAL
        ldap_servers = ldaps://ldap-server.home.com
        ldap_conns_per_server = 5
    }

[logging]
   admin_server = FILE:/var/log/krb-admin-server.log
   kdc = FILE:/var/log/kdc.log
   default = FILE:/var/log/default-kdc.log

/etc/krb5.conf on ssh-server.home.com

[libdefaults]
    default_realm = HOME.COM

[realms]
    HOME.COM = {
        kdc = krb-server.home.com
        admin_server = krb-server.home.com
        master_kdc = krb-server.home.com
        default_domain = home.com
        auth_to_local = RULE:[2:$1/$2@$0](.*\/Admins@HOME\.COM)s/\/Admins@HOME\.COM//
        auth_to_local = DEFAULT
    }

[domain_realm]
    .home.com = HOME.COM

When attempting to authenticate on the SSH-Server via ssh testUser1@localhost or su -- testUser1, an error is thrown in the Kerberos KDC log file.

CLIENT_NOT_FOUND: [email protected] for krbtgt/[email protected], Client not found in Kerberos database

When I attempt to authenticate to a principal with a single component ([email protected]), the authentication works flawlessly. Unfortunately, I am unable to authenticate to two component principal names as stated above.

Are my assumptions on the auth_to_local configuration option correct? If so, can anybody shine some light on how to get this configuration to work? If not, what other solutions can I use for this problem?

1
linuxubuntuauthenticationkerberos
AFAIK you don't map a Linux user to a Kerberos principal. You map a Kerberos principal (which will be extracted from the Kerberos service ticket offered by the client at authentication time, as a proof of identity) to a local Linux user (the account you want to log in)Samson Scharfrichter
There is a Java port of the "auth to local" parser in Hadoop. And that port has more documentation than the legacy C implementation e.g. docs.cloudera.com/documentation/enterprise/5-8-x/topics/… or community.cloudera.com/t5/Community-Articles/… or docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.5/… (but beware, the "lowercase" suffix option is specific to Hadoop, will not work with SSSD)Samson Scharfrichter

1 Answers

0
votes

I was able to solve this problem through the use of the SSSD option, ldap_user_principal.

I defined a new attribute and objectclass to the LDAP database which will hold the target principal name. I then added the new objectclass (krbHelper) and attribute (principalName) to the LDAP entry holding user information.

dn: uid=testUser1,ou=People,dc=home,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbHelper
uid: testUser1
-
-
principalName: testUser1/[email protected]
-

Inside the sssd.conf file, I then set the value of the option ldap_user_principal to the new attribute.

ldap_user_principal = principalName

I am now able to login via SSH with principals containing more then two components.

Another potential solution would be to define aliases for the principal LDAP entries using krbCanonicalName and additional krbPrincipalName attributes as outlined in the end of this documentation (https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html). The SSSD option krb5_canonicalize would then be set to true to canonicalize the login principal name.

Testing with kinit -C allowed me to successfully perform a initial ticket request for two component principal names. However I was unable to test this with SSSD as the krb5_canonicalize option in unavailable in the SSSD version I am using.