PrivacyIdea + Kerberos

Hello all,

I haven’t found any decent setup instructions online unfortunately, so I’ll ask here.
Is there an actual step by step guide to connect PrivacyIdea via LDAP with Kerberos?

I can only find documentation for connecting with Python, but nothing for the “normal” repository installation.
(concept: LDAP resolver with Kerberos auth · privacyidea/privacyidea Wiki · GitHub)
Since the connection via NTLM is no longer considered secure, I wanted to switch to Kerberos, but have had no luck with my attempts so far.

Maybe someone here has a simple solution in store :slight_smile:

As additional information:
I installed PrivacyIdea via the repository with the nginx web server. Everything runs on an Ubuntu 22.

None has an idea?
Too bad :frowning:
Do you really still use NTLM?

Hey,
not really tested it yet.
But can you provide some Logs?

Is krb5 installed on your System?
Firewall Berberos Port 88 open?
Does krb5 work from your System (kinit).

Remember you’ll need a keytab file :smiley:
Just some ideas.

Hi!

Sorry I’m only getting back to you now, but I’m only now getting around to dealing with the problem.

I have installed the following packages:
# apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Then I did the AD join of the server.
# realm join --verbose --user=username@DOMAIN.COM
That has also worked so far.
With id username@DOMAIN.COM I can read out the user’s current information.

I then tried to create the keytab file.
Of course, the necessary packages had to be installed for this
So I installed the following packages:
# apt install krb5-user libkrb5-dev python3-dev gcc

Then only gssapi had to be installed.

root@ubuntu2204:~# source /opt/privacyidea/bin/activate
(privacyidea) root@ubuntu2204:~# pip install gssapi

I then tried to create the keytab file:

# ktutil
# addent -password -p service.privacyidea@DOMAIN.COM -k 1 -e AES256-SHA1
# list
# wkt privacyidea.keytab
# exit

Apparently this also worked.
However, if I now want to authenticate myself with the file, this does not work.

kinit: Preauthentication failed while getting initial credentials

As a result, it does not work in PrivacyIdea either.
I see this error message there:
MissingCredentialsError("Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639053): Can't find client principal service.privacyidea@DOMAIN.COM in cache collection")

The authentication with user name and password works without any problems.

The AD join of the server was also not as easy as many instructions describe, as some parameters or requirements have changed over time.
This has made things much more difficult up to this point. :frowning:

Okay small update.
The local authentication now works.
After a long search, I found a post on the Internet that points to the totally stupid behavior of setting the salt.
If you enter the salt for the keyfile manually, it works.
Like this:
addent -password -p service.privacyidea@DOMAIN.COM -k 1 -e AES256-SHA1 -s "DOMAIN.COMservice.privacyidea"

Now I just need PrivacyIdea.
I am now getting this error there:
GSSError('Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server not found in Kerberos database')

My krb5.conf now looks like this:

[libdefaults]
  default_realm = DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc   = false
  rdns = false
  udp_preference_limit = 0
  default_keytab_name = /etc/krb5.keytab
[realms]
  DOMAIN.COM = {
   kdc = dc01.domain.com
   default_domain = DOMAIN.COM
  }

[domain_realm]
   .domain.com = DOMAIN.COM

And my sssd.conf looks like this:

[sssd]
domains = DOMAIN.com
config_file_version = 2
services = nss, pam

[domain/DOMAIN.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = DOMAIN.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
dns_resolver_use_search_list = False
ad_server = dc01.domain.com