Mount Windows CIFS share to *nix servers using KERBEROS auth. Step-by-Step.

In my example I will use kerberos to authenticate my linux server on Active Directory and use this credentials to get CIFS share.
My lab

dc02.digitalbears.net -Domain controller
lpi2.digitalbears.net -Linux (CentOS 7)

First we need create an object in AD which we will use for authentication. We can create machine account in AD, but you should regenerate key
when your machine changes its password (you can’t set “password never expires” for computer object). To avoid this case, we will create a user
object in AD.

We will use created in AD user lpi@digitalbears.net.
You should add SPN for this account to allow linux server with FQDN lpi2.digitalbears.net (It’s some kind of delegation which will allow your lpi2.digitalbears.net
host to get Kerberos Ticket Granting Service on behalf of lpi@digitalbears.net user account).

To do it run from windows with ad permission:

Now you need to generate keytab file which you will use on centos server. Do it on same cmd.exe\powershell.exe:

Pass: Password for lpi@digitalbears.net
princ: “host”- include many services and CIFS one of them, “lpi2.digitalbears.net”- my linux server fqdn, @digitalbears.net my domain name (must be specified in uppercase)
mapuser: user name which will be used to generate keytab

Now you need to transfer C:\krb.keytab to lpi2.digitalbears.net, then from ssh console:

Past following information, but change digitalbears.net with your domain name in uppercase and digitalbears.net with you domainname in lowercase

Save this changes.
Check that no one kerberos tickets added to system:

Then you need to generate kerberos ticket using your keytab file. (You can remove your ticket by running kdestroy command)

You can see that kerberos ticket is imported and now we are ready to mount:

You are done, you can access this shared folder with permission which admin setup for username lpi@digitalbears.net on this folder.

CentOS 7. Installing and configuring Pam Radius.

Here is a third part about how to install and configure two factor authentication using open source solution.

In the first article we have installed LinOTP2 server.
In the second article FreeRadius has been installed and configured to work with LinOTP.

Now we are going to install and configure pam radius on our CentOS 7 Server.
Add epel repository and past our radius server ip and their secret into config

insert following line

should be looks like:

Now add user for wich token already enrolled.

Lets try to access this host by ssh:

And now we are done.
Have a nice day.

LinOTP. FreeRadius Server Integration.

Hi Everyone,

We will install and pair freeradius with linotp here.
You can split free radius to another server if you want.

Remove Default Config File and create new one with our client ip and secret

Now change URL to your IP and change REALM name to realm that you create in first part:

To test radius from client (CentOS 7) in my case 172.17.14.29, you should run:

If access will be granted then You are succesfully installed and pair freeradius with LinOTP:

MTokarev-username 607918-MyPasscode 172.17.14.103-Radius server IP 0-Port (Just Leave without changes) 11122928-Your client secret

On the next part We’ll configure client host to use PAM Radius and will try to authenticate with OTP.

Two Factor Authentication. Installing LinOTP. Step-By-Step Guide.

Welcome to first part of “How to install One Time Password Authentication.” series.

Here is my test lab:

deb7.digitalbears.net 172.17.14.103 LinOTP Server+FreeRadius on Debian 7.9
client1.digitalbears.net 172.17.14.29 Client on CentOS7

LinOTP Server require database to store tokens and web server to provide management interface.

LinOTP support following identity sources such as LDAP, SQL, file (/etc/passwd for ex.) – this is called UserIDResolvers.

You can combine UserIDResolvers into Realms, this will help you to apply policies to Realms.

We will use LDAP UserIDResolver in our lab and pair it to newly created Realm.
At the end of this article we will be able to create and assign tokens to LDAP users. I will use “Microsoft Authenticator” as my software token (Google Authenticator also supported).

Let’s start.

Set password for MySQL Root account

0

Lets Create DB for LinOTP

Now We need add repository for LinOTP

Click yes to install Apache2.
Specify password for management console (digest authentification will be configured for management web console).

1

Agree with certification generation promt.

2
Select MySQL as token database.

3
We will store MySQL database on same host, so click OK.

4
You can change DB name if you want.

5

Specify password for db user.

All settings will be stored into /etc/linotp2/linotp.ini

Now you can access LinOTP by url: https://172.17.14.103/manage/

6
Use username admin and password which you specified above.
Select LDAP from ResolversType. When you click save and close Realm creation will be started automatically.

7

8

Click NEW, Hold CTRL button and select Resolver you just created.

9

Now you should see all users from LDAP server.
Let’s assign token to my user. Select user and click Enroll (You can set OTP Pin if you want, by default user should be enter OTPPin and OTP
Passcode to get access. If OTP Pin 123456 and Passcode from your token 333444 then you should use 123456333444).

10

Time must be synchronized across your devices because token time based.

Click Enroll and scan QRcode from your application and you are done.

11

You can test your deployment by accessing:

https://172.17.14.103/validate/check?user=MTokarev&pass=123456526027

My OTP Pin is 123456 and OTP Passcode 526027

wp_ss_20160122_0002

 

You should see status and value true in case of success.

12

In the next part We will install FreeRadius Server and integrate it with LinOTP.
Then we install PAM into our client and point it to Radius server.

Part-2-Installing and configuring freeradius server.

Have a nice day.

How to centralize local administrators password change (LAPS).

Dear All,

I’ve written an article about how to change password for local admins without using scripts (net user for ex.) in GPO which will contain password in plain text.
MS has been released a better way to do it: Local Administrator Password Solution (LAPS).

Now if you share local admin for someone (or if password for admin will be decrypted), he can’t use it to access another computers because each computer has own randomized pass.

Here is some magic about how it works:

LAPS extend active directory schema with two new attributes
1) ms-Mcs-AdmPwd- will store password in clear text (by default only domain admins can read this, you can delegate access to help desk for example).
2) ms-Mcs-AdmPwdExpirationTime- when password for local admin will be expired and changed to new value.

You should install Group Policy Extension to computers that you planning to manage. You can do it by Group Policy or by SCCM.
To create a Group Policy you should install LAPS with GPO Templates on machine from which group policy will be created.

Also you should grant write access to computers to write it’s own attribute.

I will do all tasks from Domain Controller. You can download LAPS from here: x64 and  x86 or from Microsoft.

Let’s start:

Install LAPS with all management tools enabled

2

Run powershell with user who has Schema Admin access and run

3

To check who can view password you can run

4

Let’s allow computers write access

5

Now only domain admins can get local admin passwords. You can delegate access to any security group

6

You must install clients which will extend you GPE. You can do it by GPO.

Here is a cmdline to quite installation:

Now you need to create GPO

10

After computer update their policy you can check password for local admin from LAPS UI

8

Or from powershell with Active Directory module

9