In our environment we do not join Linux boxes to the Microsoft Domain. We do however setup Kerberos. This allows us to log into the boxes using our AD credentials as long as there is a local account with the same name. However, when I use sudo it only accepts my local credentials. How can I use my AD password with sudo? Thanks.
Asked
Active
Viewed 6,787 times
4
-
1How exactly did you "setup Kerberos"? – Michael Hampton Feb 27 '14 at 14:44
-
1Just created a krb5.conf file – CJONES Feb 27 '14 at 15:04
-
1did you configured /etc/pam.d/sudo to use pam_krb5.so? distro are you using? – c4f4t0r Feb 27 '14 at 15:06
-
Hmm I'll have to check. Good point. – CJONES Feb 27 '14 at 15:08
-
@ChrisJones i missed you are using redhat, try with authconfig --enablekrb5 --updateall – c4f4t0r Feb 27 '14 at 15:33
1 Answers
3
Seems like it's a PAM configuration issue. I have a similar setup on our Linux servers---Kerberos authentication against our AD DCs.
Below are the relevant PAM files for comparison.
First, system-auth PAM config which the sudo config depends on:
# cat /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
As you could see, this includes the pam_krb5.so module used for Kerberos.
The sudo PAM config files include system-auth and look like this:
# cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
# cat /etc/pam.d/sudo-i
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
PAM could be very powerful but it took me a bit to get my head wrapped around it. Red Hat's documentation helped me out a lot when dealing with PAM issues.
Belmin Fernandez
- 10,799
- 27
- 84
- 148
-
All this is fine, but you really need to have a host keytab on the machine. If you don't then the security of kerberos is compromised and can be spoofed with MITM attacks. – Fred the Magic Wonder Dog Mar 25 '14 at 14:33