Use Centrify GPOs to Create and Distribute a Customized Kerberos Configuration File (/etc/krb5.conf)

Use Centrify GPOs to Create and Distribute a Customized Kerberos Configuration File (/etc/krb5.conf)

By Centrify ‎05-07-2018 02:03 PM

 Today we are going to use two Centrify GPOs to create a custom krb5.conf file and distribute it to our Unix/Linux systems:

ComputerConfiguration -> Policies -> CentrifySettings -> Common UNIX Settings -> "Copy files"

ComputerConfiguration -> Policies -> CentrifySettings -> DirectControlSettings -> "Add centrifydc.conf properties"

 

 

Step 1

Our first action is to create the new file; I'm calling it "custom-krb5.conf". In order for the file to be parsed correctly you will need to add the section headers as seen below in the contents of the file. I am also adding a specific value to be added to the existing KRB5.conf on the destination server.

 

Please note that this file will NOT delete any existing values, but only overwrite or add new parameters. For example, the custom file will add the new key-value located under KDC (below), or it will update the value from its previous state; kdc_timeout=150 would become kdc_timeout=300.

 

custom-krb5.conf contents: 

 ++++++++++++++++++++++++++

[libdefaults]

[default_realm]

[realms]

[capaths]

[plugins]

[appdefaults]

[login]

[logging]

[dbdefaults]

[dbmodules]

[kdcdefaults]

[kdc]

kdc_timeout = 300

[kadmin]

[password_quality]

[otp]

++++++++++++++++++++++++++

 

  

Step 2

Next we need to enable the first GPO which will copy our custom file to the destination server

ComputerConfiguration -> Policies -> CentrifySettings -> Common UNIX Settings -> "Copy files"

 

Note that the file must be placed in the \\domain.net\SYSVOL\domain.net\ directory to be accessed by the GPO. You will also need to specify the path and permissions for the file's destination.

  

 

Step 3

With the copy file GPO in place now we have to direct the Centrify agent on each machine to point to the correct location of the new file. Enable the second GPO by altering the /etc/centrifydc/centrifydc.conf parameter via:

ComputerConfiguration -> Policies -> CentrifySettings -> DirectControlSettings -> "Add centrifydc.conf properties"

 

Here we include the parameter's key and the parameter's value. The centrifydc.conf file has more details concerning this parameter, I have posted those details at the end of this blog.

# adclient.krb5.conf.file.custom: file:/tmp/custom-krb5.conf 

 

 

Step 4

Run <adgpupdate> on the destination server (for immediate testing) or wait the allotted time when group policy will be updated within the domain.

The GPOs will copy the file to the server and alter the centrifydc.conf file to point at the new file, which in turn will update your krb5.conf file. If changes are not immediately present after the GPO update please run <adreload>. You can check if the GPOs were applied on your Unix/Linux machines by reviewing the output of <adgpresult> 

 

 

Your custom krb5.conf file is now complete and distributed to your environment.

 

 

 

 

/etc/centrifydc/centrifydc.conf - (excerpt version 5.4.3)

#

# This parameter enables merging of custom krb5.conf entries into the existing krb5.conf.
# Specify the path to a syntactically valid custom krb5.conf file. (see format below)
# For the directives [libdefaults], [domain_realm] and [realms],
# the new keyword = value pairs will be added in the corresponding directive
# to the existing krb5.conf. New realms will also be added under [realms].
# If a keyword already exists in the original file, the keyword entry from the
# custom file will be discarded. (WARN messages will be displayed in the log on every conflict)
# For the additional sections like [capaths], [appdefaults], [plugins], [login],
# [logging], [dbdefaults], [dbmodules], [kdcdefaults], [kdc], [kadmin], [password_quality], [otp],
# the entire section from the custom file will be added directly into the original krb5.conf,
# and overwrite any existing entries in those sections.
# By default, this parameter is not enabled, and the default value is an empty string
#
# Note:
# 1) The specified custom file must be owned by root.
# 2) For Mac, the configuration parameter adclient.krb5.autoedit must be set to true
#
# ---------------------------------------------------------------------
# Expected Format of the Custom Krb5.conf:
#
# [libdefaults]
# keyword1 = value1
# keyword2 = value2
# [default_realm]
# domain = realm
# hostname = realm
# [realms]
# REALM1 = {
# tag1 = value1
# tag2 = value2
# }
# REALM2 = {
# tag1 = value1
# }
# [capaths]
# to-be-copied-as-is
# [plugins]
# to-be-copied-as-is
# [appdefaults]
# to-be-copied-as-is
# [login]
# to-be-copied-as-is
# [logging]
# to-be-copied-as-is
# [dbdefaults]
# to-be-copied-as-is
# [dbmodules]
# to-be-copied-as-is
# [kdcdefaults]
# to-be-copied-as-is
# [kdc]
# to-be-copied-as-is
# [kadmin]
# to-be-copied-as-is
# [password_quality]
# to-be-copied-as-is
# [otp]
# to-be-copied-as-is

# ---------------------------------------------------------------------
#
#
# adclient.krb5.conf.file.custom: file:/path/root-owned-custom-krb5.conf
#

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel