Tutorial Ubuntu - Kerberos authentication on the Active Directory

Would you like to learn how to configure the Ubuntu Linux to authenticate on the Active Directory using Kerberos? In this tutorial, we are going to show you how to authenticate Ubuntu users using the Kerberos protocol on the Active directory.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Windows 2012 R2

In our example, the domain controller IP address is 192.168.15.10.

In our example, the Linux server IP address is 192.168.15.11.

Ubuntu Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Ubuntu.

List of Tutorials

Tutorial Ubuntu – Kerberos authentication on the Active Directory

• IP – 192.168.15.11
• Operacional System – Ubuntu 20
• Hostname – UBUNTU01

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the required packages to enable Kerberos authentication.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm – TECH.LOCAL
• Kerberos server – TECH-DC01.TECH.LOCAL
• Administrative server – TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

[libdefaults]
        default_realm = TECH.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        TECH.LOCAL = {
                kdc = TECH-DC01.TECH.LOCAL
                admin_server = TECH-DC01.TECH.LOCAL
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

Start a Kerberos session as the domain Administrator.

Copy to Clipboard

List the Kerberos session.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Add the Linux server as a domain computer.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You need to change the Hostname.

Stop the Kerberos session as the domain Administrator.

Copy to Clipboard

Move the key file to the correct location.

Copy to Clipboard

Create a configuration file for the SSSD service.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You need to change the Hostname.

Set the correct file permission.

Copy to Clipboard

Edit the PAM configuration file.

Copy to Clipboard

Locate the following line.

Copy to Clipboard

After this line, insert the following configuration.

Copy to Clipboard

As an example, here is the content of our configuration file.

Copy to Clipboard

Restart the SSD service.

Copy to Clipboard

Congratulations! You have configured the Ubuntu authentication to use the Kerberos protocol.

Tutorial Ubuntu – Testing the Kerberos authentication

Test the Kerberos authentication by starting a new SSH session using an Active Directory domain account.

Copy to Clipboard

On the login prompt, enter the domain password for the Active Directory account.

After a successful authentication, list the Kerberos sessions created.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

List the account groups.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

You have successfully tested the Kerberos authentication on Ubuntu Linux.

Ubuntu – Kerberos authentication on the Active Directory

Ubuntu – Kerberos authentication on the Active Directory

Ubuntu Related Tutorial:

Tutorial Ubuntu – Kerberos authentication on the Active Directory

Tutorial Ubuntu – Testing the Kerberos authentication

Related Posts