First of all, make sure that your Active Directory domain meets gmsad requirements (see README.md).
Let couscous and boulette be two Linux servers. They both host an apache2 server that serves semoule.cantine.local. The HTTP server needs to authenticate users of realm CANTINE.LOCAL using Kerberos.
Create two accounts, couscous and boulette, that will be used by gmsad to retrieve the gMSA password. To create these accounts, you can use msktutil (https://github.com/msktutil/msktutil). After authenticating with kinit with an account that has the rights to create computer accounts, run msktutil create. You should renew the server account password periodically (every 30 days for example). You could do that using a daily cron job that runs msktutil --auto-update. Check the msktutil documentation for further information.
Create a gMSA named semoule with the servicePrincipalName http/semoule.cantine.local and allow couscous and boulette to retrieve its password :
Import-Module ActiveDirectory
New-ADServiceAccount -Name "semoule" -ServicePrincipalNames "HTTP/semoule.cantine.local" -DNSHostName "semoule.cantine.local" -PrincipalsAllowedToRetrieveManagedPassword couscous$,boulette$gmsad needs to be able to read the keytab of the server's machine account and to write into the keytab of the service account. By default, those privileges would be reserved for root account. However, you should not run gmsad as root! It is advised to create a specific account with only the required permissions.
- Create a user account
gmsawithin groupgmsa.
addgroup --system gmsa
adduser --system --no-create-home --shell=/usr/sbin/nologin --ingroup=gmsa gmsa- Edit
/etc/gmsad.confand use the following configuration (note that this the configuration forcouscousserver):
[semoule]
# gMSA configuration
gMSA_sAMAccountName = semoule$
gMSA_domain = CANTINE.LOCAL
gMSA_servicePrincipalNames = http/semoule.cantine.local
# Keytab file of the service account
gMSA_keytab = /etc/semoule.keytab
# credentials used to retrieve gMSA secret
principal = couscous$@CANTINE.LOCAL
# Keytab file of the server account
keytab = /etc/krb5.keytab
# command executed when SPN keys are updated.
# This is required by apache2 to read the keytab again.
on_spn_rotate_cmd = sudo systemctl reload apache2
-
Create an empty file
/etc/semoule.keytabwhich will be the keytab file of the service account. It needs to be readable by apache account.- Set ownership of
/etc/semoule.keytab:gmsa:www-data - Set permissions of
/etc/semoule.keytab:640
apache2needs to be configured to authenticate users using keytab/etc/semoule.keytab. Here is an example ofapache2configuration usingmod_auth_kerb: - Set ownership of
<VirtualHost *:443>
ServerName semoule.cantine.local
<Location "/service">
Require valid-user
AuthType Kerberos
</Location>
KrbAuthRealms CANTINE.LOCAL
Krb5Keytab /etc/semoule.keytab
KrbServiceName HTTP
</VirtualHost>
-
Edit owernship and permissions of
/etc/krb5.keytab:- Set ownership :
root:gmsa - Set permissions of
/etc/krb5.keytab:640
- Set ownership :
-
Grant to user
gmsathe ability to runsudo systemctl reload apache2. Edit sudoers configuration:
gmsa ALL=(root) NOPASSWD:systemctl reload apache2
- Create a systemd service for
gmsad. Write in /etc/systemd/system/gmsad.service:
[Unit]
Description=Group Managed Service Account Management Service
After=network.target
[Service]
ExecStart=/usr/bin/gmsad
Restart=on-failure
User=gmsa
[Install]
WantedBy=multi-user.target
Then, reload systemd services.
- Start the
gmsadservice :systemctl start gmsad
This should populate the keytab /etc/semoule.keytab. You can check its content with klist -kt /etc/semoule.keytab. gmsad will then update the keytab on couscous and boulette when needed.
For debug purposes, you may want to validate that the secrets in the keytab generated by gmsad are valid. To do so, you can :
- add
gMSA_upn_in_keytab = yesingmsadconfiguration. - use kinit to authenticate with the gMSA account :
kinit -kt /etc/semoule.keytab 'semoule$@CANTINE.LOCAL'. - if there was no error, you can use
klistto view your ticket cache.