Reputation: 77
Kerberos administrator authorization
I'm writing linux application that integrates with MS Active Directory. For this purpose I'm using Kerberos. I've already implemented mechanism that authenticates domain user with given credentials, but now I want to check if user is member of administrators group.
So I have creds obtained from the function.
error = krb5_get_init_creds_password(context, &creds, principals,
password.c_str(), NULL, NULL, 0, NULL, NULL);
And here I want to implement logic that authorizes user/administrator
if(!error) {
// admin check
}
I'm thinking of using the krb5_verify_init_creds function but I'm not sure how can I do that.
Upvotes: 0
Views: 238
Answers (2)
Reputation: 882
As Fred noted, Kerberos is for authentication, not for authorization. While Kerberos ticket issued by an AD DC contains MS-PAC record with additional information about membership of the AD object mapped to this Kerberos principal, you need more than just knowing format of the records presented in the ticket to make use of it.
In a typical Linux environment your application is better to rely on PAM stack to decouple authentication and authorization steps. Typically a PAM session setup is used to run authorization checks. If your Linux machines are configured to use SSSD (either with id_provider = ad or with id_provider=ipa and cross-forest trust between FreeIPA and AD), you can rely on pam_sss to handle both authentication and authorization steps via SSSD.
Recent versions of SSSD support GPO-based access by mapping GPO logon rights to PAM services.
With SSSD your AD users and groups would be presented as POSIX users and groups. This allows you to build a simple access control based on the group membership that you can obtain via getgrouplist(3) call after you mapped Kerberos principal to local user name with krb5_aname_to_localname().
If you still need to know additional information about the user mapped from Kerberos principal, you can utilize infopipe interface of SSSD. The information available through infopipe is gathered from both Kerberos ticket (when available) and AD LDAP (Global Catalog or DC directly). By using infopipe you wouldn't need to resolve SIDs in MS-PAC to names, resolve group membership and verify signatures of the MS-PAC and other components of the ticket as SSSD does it for you. See https://fedorahosted.org/sssd/wiki/DesignDocs/DBusResponder and http://www.adelton.com/apache/mod_lookup_identity/ for practical implementation.
Upvotes: 2
Reputation: 9109
Kerberos does not do authorization, only authentication. (i.e. it can figure out who you are, but not what you are allowed to do).
In general, once you have the kerberos ID, you would ask some authorization service what that ID is allowed to do. In this case, the most straightforward thing to do is to make an ldap query to find out if the user is a member in the group you are interested in.
MS kerberos violates this principle by adding extra group information that AD knows about to the kerberos service tickets. However, I am not aware of any standard kerberos API's that provide access to this information.
Upvotes: 2
Related Questions
- Using Kerberos authentication for Server/Client application
- Windows client application using GSSAPI/Kerberos API to authenticate through KDC
- Accumulo kerberos authentication
- Kerberos Authentication always unsuccessful
- Kerberos authentication in windows service
- Authentication against Active Directory with C++ on Linux
- Kerberos, delegation and how to do this correctly?
- Kerberos get initial credential
- Kerberos password change protocol
- Set credentials when using ntlm (kerberos) authentication