Best practice for authenticating DMZ against AD in LAN

linux authentication active-directory kerberos

If you're using PAM for your authentication stack, you can use pam_krb5 to provide kerberos authentication for your services. Kerberos was designed out-of-the-box to deal with hostile environments, handles authentication-by-proxy, and is already a part of the AD spec. Why struggle with LDAP when you can get Kerberos to do the heavy lifting for you, and get on with life? Yeah, you'll have to do some reading, and yeah, it'll take a bit of time, but I've used Kerb-to-AD authentication for years and have found it to be the easiest, quickest way to get SSO working out of the box when you have Active Directory as the authentication backend.

The main thing you'll run into is that Microsoft decided to be very specific about the default encryption types (they basically made their own), so you'll need to set up your Kerberos clients to have the correct matching encryption types, or the AD servers will continue to reject it. This is thankfully an easy procedure and shouldn't require more than a few edits to krb5.conf.

And now, some links for you to consider...

Microsoft's View of Kerberos

  • Kerberos Explained

Meshing Kerberos and Active Directory

  • Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

ssh and Kerberos authentication via PAM

  • A snippet from O'Reilly's book on SSH
  • IBM has a few words on OpenSSH and Kerberos

Apache and Kerberos

  • mod_auth_kerb via SourceForge
  • Providing Active Directory authentication via Kerberos protocol in Apache

ProFTP and Kerberos

  • ProFTPD module mod_gss also via SourceForge

RFCs of Microsoft's Activities with Kerberos (which you really don't want to read about):

  • RFC3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
  • RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows

Related

Running linux containers (lxc) on ubuntu to isolate web server processes (ruby/thin)
Multicast File Transfers
How do I remotely manage Hyper-V 2016 standalone via Windows 10?
3D vs 3d vs 3-d vs 3-dimensional
How common is pronouncing the past tense of beat as /bet/?
What is a respectful way to refer to a person who has died?
Is "Four times more" grammatically correct? And, if so, what precisely does it mean?
Pluralization of acronyms ending in 'S'
"the average person" vs "an average person"
"Also" and "as well" for conversational context
Word/phrase that means a series of problems of increasing severity caused by a small error
Is "one" unnecessary in this quote of Melville?