Himmelblau Documentation

Introduction to Himmelblau

What is Himmelblau?

Himmelblau is an open-source project designed to integrate Azure Entra ID (formerly Azure Active Directory) authentication seamlessly with Linux environments. By enabling features like single sign-on (SSO), multi-factor authentication (MFA), and secure token handling, Himmelblau allows organizations to bridge the gap between Microsoft’s enterprise identity solutions and Linux systems. It serves as a middleware layer, providing tools for authentication, device registration, and identity management across various Linux distributions.

The name 'Himmelblau' is derived from German, meaning 'Sky blue', or 'Azure blue,' a nod to Microsoft Azure, which the project is designed to integrate with. This name reflects the project's purpose of bridging Linux systems with Azure Entra ID authentication. Himmelblau originated as an open-source initiative aimed at addressing the gap in identity integration between Linux environments and Microsoft's enterprise cloud solutions.

Himmelblau leverages protocols such as OAuth2 and Kerberos to deliver secure and efficient authentication mechanisms. The project’s modular and lightweight design ensures it can scale across small deployments or large enterprise environments, making it suitable for diverse use cases.

Why Integrate Azure Entra ID with Linux?

Modern enterprises often operate in hybrid environments that combine Windows and Linux systems. Azure Entra ID is a cornerstone of Microsoft’s cloud-based identity and access management strategy, providing centralized control over authentication, access policies, and user management. However, native Linux support for Azure Entra ID has historically been limited, creating challenges for organizations aiming to unify their IT infrastructure.

Key Benefits of Himmelblau Integration:

1. Unified Identity Management: Himmelblau enables Linux systems to use the same credentials as Windows systems, reducing administrative overhead and improving user convenience.
2. Enhanced Security: By supporting Azure Entra ID’s MFA options—such as FIDO2, SMS, and app-based authentication—Himmelblau enhances login security.
3. Single Sign-On (SSO): Himmelblau’s integration with the Siemens linux-entra-sso framework ensures seamless SSO for browser-based applications, boosting productivity.
4. Compliance and Auditability: Centralized identity management simplifies compliance with security policies and audit requirements, making it easier to meet regulatory standards.
5. Scalability: Himmelblau’s modular architecture and compatibility with multiple Linux distributions make it ideal for both small and large-scale deployments.

Himmelblau’s Role in the Open-Source Ecosystem

Himmelblau stands out as an open-source alternative to proprietary identity integration solutions. By providing transparency and flexibility, it empowers organizations to:

• Customize authentication workflows to suit their needs.
• Contribute to the project’s development, fostering a collaborative community.
• Avoid vendor lock-in, a common concern with proprietary tools.

Summary

Himmelblau is a transformative tool that bridges the gap between Azure Entra ID and Linux environments. By supporting secure, scalable, and seamless authentication workflows, it addresses the challenges of integrating diverse systems into a unified identity framework. This chapter introduced Himmelblau’s purpose, its advantages, and its importance in the open-source community. The next chapter will delve into the broader challenges of integrating Azure Entra ID with Linux systems and how Himmelblau mitigates these issues.

Azure Entra ID and Linux Integration Challenges

Overview of Authentication Protocols

Himmelblau uses OAuth2 as the primary protocol for authentication, leveraging Microsoft’s MS-OAPX and OAPXBC extensions. These extensions ensure secure and seamless integration with Azure Entra ID, providing robust support for modern authentication workflows.

Transitioning from On-Premises AD to Azure Entra ID

For organizations migrating Linux systems from on-premises Active Directory (AD) to Azure Entra ID, the transition can be challenging, particularly with UID and GID mismatches. These discrepancies often arise due to differences in ID mapping between traditional tools like Winbind or SSSD and Himmelblau's default mapping strategies.

UID/GID Mismatch Issues

• Cause: On-prem AD environments typically use either fixed UID/GID values from an Active Directory scheme extension or dynamically generated values using various ID mapping techniques from Winbind and SSSD. Himmelblau, however, generates UID/GID values dynamically based on its internal mapping logic.
• Impact: File ownerships and permissions may break, leading to potential access issues and administrative overhead.

Workaround: SSSD for ID Mapping

To mitigate UID/GID mismatch issues, organizations can continue using the SSSD NSS module for UID/GID mapping while utilizing Himmelblau solely for authentication. This hybrid approach allows:

1. Consistent UID/GID values by fetching them from the on-prem AD schema.
2. Modern OAuth2-based authentication through Himmelblau.

Configuration Example:

1. Configure SSSD:

   [sssd]
   domains = example.org
   
   [domain/example.org]
   id_provider = ad
   ldap_id_mapping = false
   

2. Configure NSS:

   passwd:     files systemd sss
   group:      files systemd sss
   shadow:     files sss
   

3. Use Himmelblau for Authentication: Ensure Himmelblau is configured in the PAM stack for auth , account, and session while disabling its NSS module.

Future Improvements for ID Mapping

To address these challenges more seamlessly, Himmelblau plans to:

• Support synchronization of UID/GID attributes directly from Azure Entra ID using synced Active Directory extensions.
• Develop enhanced ID mapping logic to maintain consistency across environments.

Summary

Integrating Linux systems with Azure Entra ID introduces unique challenges, particularly when transitioning from on-prem AD environments. By using OAuth2 with MS-OAPX/OAPXBC extensions for authentication and adopting workarounds like SSSD for ID mapping, organizations can achieve a smoother transition. Himmelblau’s future enhancements promise to further simplify these processes, ensuring consistent and secure identity management across hybrid infrastructures.

The Himmelblau Ecosystem

Core Features and Benefits

Himmelblau provides a comprehensive suite of tools designed to integrate Azure Entra ID authentication into Linux environments. By leveraging open standards and implementing advanced features, it bridges the gap between Linux systems and Microsoft’s enterprise identity solutions. Below are the key features and benefits that define the Himmelblau ecosystem.

1. Azure Entra ID Integration

Himmelblau seamlessly integrates with Azure Entra ID, enabling Linux systems to utilize Azure’s robust identity and access management framework. This includes:

• Multi-Factor Authentication (MFA) with app-based prompts, FIDO2 keys, and SMS codes.
• Secure token exchange through OAuth2 flows.
• Device registration, with future plans for compliance enforcement.

2. Single Sign-On (SSO)

By incorporating the Siemens linux-entra-sso framework, Himmelblau ensures a consistent and secure SSO experience for browser-based applications. This functionality simplifies user workflows and boosts productivity by reducing the need for repeated logins.

3. Support for Kerberos Authentication

Himmelblau extends Azure Entra ID’s Kerberos capabilities to Linux environments. It retrieves and caches cloud-based Ticket Granting Tickets (TGTs) from Azure’s KDC, supporting both cloud and hybrid setups. This functionality ensures compatibility with existing Kerberos-based applications and workflows.

4. Modular Design

The Himmelblau ecosystem is designed with modularity in mind, allowing administrators to enable or disable features based on organizational needs. This flexibility ensures that Himmelblau can scale from small deployments to large enterprise environments.

5. Enhanced Security

Himmelblau incorporates features like encrypted token storage, PAM integration, and support for secure device authentication. These measures help organizations meet compliance requirements and protect sensitive data.

6. Open-Source Flexibility

As an open-source project, Himmelblau empowers organizations to:

• Customize features to fit their unique requirements.
• Contribute to the codebase and shape the project’s development.
• Avoid vendor lock-in, ensuring long-term flexibility and cost savings.

Supported Linux Distributions

Himmelblau is compatible with a wide range of Linux distributions, including enterprise-grade and community-supported versions. Current supported distributions include:

• Enterprise Distributions: SUSE Linux Enterprise, Red Hat Enterprise Linux, Rocky Linux.
• Community Distributions: Ubuntu, Debian, Fedora, and openSUSE.

This extensive compatibility ensures that organizations can adopt Himmelblau regardless of their Linux environment.

Interoperability with Microsoft Services

Himmelblau’s design prioritizes seamless interaction with Microsoft’s ecosystem, enabling Linux clients to access:

• Microsoft 365 services.
• Azure-based applications and resources.
• On-premises systems configured for Azure AD hybrid setups.

This interoperability allows organizations to maintain consistent identity management across their entire infrastructure, regardless of the underlying operating system.

Summary

The Himmelblau ecosystem represents a powerful solution for integrating Azure Entra ID with Linux environments. Its robust feature set, extensive distribution support, and open-source foundation make it a versatile tool for organizations of all sizes. The next chapter will explore the technical architecture and components that make Himmelblau such an effective bridge between these two ecosystems.

Understanding Himmelblau Architecture

Key Components of Himmelblau

Himmelblau’s architecture is designed to seamlessly integrate Linux systems with Azure Entra ID, leveraging a modular and scalable framework. This chapter explores its core components and their roles in achieving secure and efficient authentication.

1. Authentication Daemon (himmelblaud)

The himmelblaud daemon is the central component responsible for handling authentication requests and interacting directly with Azure Entra ID. Key functionalities include:

• User Authentication: Processes login attempts and validates credentials against Azure Entra ID.

• OAuth2 Flows: Initiates authentication and token exchanges with Azure Entra ID, passing tokens to the Himmelblau Broker via a secure socket.

• Token Management: Manages the secure storage, caching, and renewal of authentication tokens.

• Integration with PAM and NSS: Supports Pluggable Authentication Modules (PAM) for system-level authentication and integrates with NSS to provide consistent user and group information across the system.

2. Himmelblau Broker

The Himmelblau Broker serves as a middleware layer, facilitating communication between Linux applications and Azure Entra ID. Key functions include:

• DBus Integration for SSO: Exposes a DBus interface for seamless interaction with browser and application plugins.

• Socket-Based Communication: Receives OAuth2 tokens and other data from the himmelblaud daemon via a secure socket for further processing.

3. Configuration Management

Himmelblau’s configuration is managed through the /etc/himmelblau/himmelblau.conf file. Key elements include:

• Domain and tenant configuration.
• Debugging and logging options.
• User and group mapping settings.

Example configuration:

[global]
domains = example.com
pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd1

4. Kerberos Integration

Himmelblau extends Kerberos functionality to Azure Entra ID by acting as a Kerberos client. It retrieves and caches Ticket Granting Tickets (TGTs) from Azure Entra ID’s cloud-based KDC, enabling:

• Secure, token-based access to resources.
• Support for hybrid scenarios involving on-premises Active Directory.

Example Kerberos configuration:

[realms]
KERBEROS.MICROSOFTONLINE.COM = {
    kdc = https://login.microsoftonline.com/common/kerberos
}

[libdefaults]
default_ccache_name = DIR:/tmp/krb5cc_%{uid}

5. Support Services (himmelblaud-tasks)

The himmelblaud-tasks service handles essential background operations, including:

• Kerberos Flows: Manages Kerberos ticket retrieval, caching, and renewal.
• Startup Script Execution: Executes scripts required during system initialization.
• Home Directory Creation: Ensures authenticated users have properly initialized home directories.

Scalability and Modularity

Himmelblau’s modular architecture ensures it can adapt to various organizational needs. Administrators can enable or disable components depending on the deployment scenario, ensuring optimal resource usage.

Deployment Scenarios

• Small Deployments: Lightweight installations with minimal configurations.
• Enterprise Deployments: Scalable setups with Kerberos integration, hybrid configurations, and extensive logging for compliance.

Summary

Himmelblau’s architecture is built to bridge the gap between Azure Entra ID and Linux systems. By combining modular components, robust token management, and seamless Kerberos integration, Himmelblau provides a scalable and secure authentication framework. The next chapter will explore how these components interact in real-world deployment scenarios.

Authentication Workflows

Overview

Himmelblau provides seamless authentication workflows that bridge the gap between Linux systems and Azure Entra ID. By leveraging protocols like OAuth2 and Kerberos, it ensures secure and efficient user authentication, supports single sign-on (SSO), and integrates with multi-factor authentication (MFA) mechanisms. This chapter outlines the main authentication workflows in Himmelblau, highlighting the steps involved and the components responsible for each.

OAuth2 Authentication Workflow

Himmelblau’s OAuth2-based authentication enables Linux systems to interact securely with Azure Entra ID. The workflow involves the following steps:

1. User Login Initiation:
   • A user initiates a login process, typically through PAM.
2. Token Request:
   • The himmelblaud daemon sends an OAuth2 token request to Azure Entra ID, including the user’s credentials or device code if applicable.
3. Primary Refresh Token (PRT) Issuance:
   • Azure Entra ID validates the credentials and issues a Primary Refresh Token (PRT). The PRT serves as a long-lived token that can be used to request access and ID tokens without re-entering credentials.
4. SSO Token Request:
   • When an application or service requires authentication, the PRT is used to request Single Sign-On (SSO) tokens from Azure Entra ID. These tokens are specific to the requested application or resource.
5. Token Handling:
   • The access token and SSO tokens are passed securely to the Himmelblau Broker via a socket for further use by applications or services.
6. Session Initialization:
   • The user’s session is authenticated, and any necessary initialization tasks, such as home directory creation, are handled by himmelblaud-tasks.

Kerberos Authentication Workflow

Himmelblau integrates Azure Entra ID’s Kerberos capabilities to support existing Kerberos-dependent applications. The following steps outline the process:

1. TGT Retrieval:
   • Upon user login, himmelblaud-tasks retrieves a Ticket Granting Ticket (TGT) as part of the Primary Refresh Token (PRT) request from Azure Entra ID. The TGT is essential for Kerberos workflows and is obtained directly from the cloud-based KDC.
2. TGT Caching:
   • The TGT is securely cached in the location specified by the Kerberos configuration (/tmp/krb5cc_%{uid}).
3. Service Ticket Requests:
   • When a service requiring Kerberos authentication is accessed, the TGT is used to request a service ticket from the KDC.
4. Authentication Completion:
   • The service ticket is presented to the target application or service, completing the authentication process.

Multi-Factor Authentication (MFA) Integration

Himmelblau supports Azure Entra ID’s MFA capabilities, providing an additional layer of security. Common MFA methods include:

• App-Based Notifications: Users approve login attempts via the Microsoft Authenticator app. Himmelblau also supports passwordless authentication with Microsoft Authenticator, as well as other authenticator apps like Google Authenticator, where users receive a push notification and are prompted to enter an entropy code. This prompt is seamlessly integrated into the login process through PAM.
• FIDO2 Keys: Physical keys provide multi-factor authentication (MFA) by requiring both the key and the user’s password.
• SMS Codes: A one-time code sent to the user’s mobile device.

These methods are seamlessly integrated into the OAuth2 and Kerberos workflows, ensuring robust security without complicating the user experience.

Single Sign-On (SSO) Workflow

SSO is a critical feature for enterprise environments, allowing users to authenticate once and access multiple services. Himmelblau’s SSO implementation involves:

1. Token Sharing via DBus:
   • The Himmelblau Broker exposes tokens through a DBus interface, enabling applications and browser plugins to authenticate seamlessly.
2. Session Persistence:
   • Tokens are securely stored and refreshed as needed, ensuring uninterrupted access to services.

Advanced Features

Hybrid Authentication

Himmelblau supports hybrid setups where both cloud and on-premises resources are accessible. In such environments:

• Cloud TGTs from Azure Entra ID’s KDC can be exchanged for on-premises TGTs.
• This flexibility allows organizations to transition gradually to cloud-first architectures.

Token Management and Renewal

• Himmelblau’s components manage token lifecycles, ensuring timely renewal to prevent session interruptions.
• Expired tokens are replaced automatically by himmelblaud, reducing administrative overhead.

Summary

Himmelblau’s authentication workflows provide a robust framework for integrating Azure Entra ID with Linux systems. By supporting OAuth2, Kerberos, MFA, and SSO, it ensures secure and seamless user experiences. The next chapter will delve into deployment best practices, covering setup strategies for different organizational needs.

Device Registration with Azure Entra ID

Overview

Device registration is a cornerstone of Azure Entra ID’s security framework, enabling organizations to enforce compliance policies, manage access, and enhance security for connected devices. Himmelblau leverages the Device Registration Service (DRS) protocol, as outlined in the MS-DRS specification, to seamlessly register Linux devices with Azure Entra ID. This chapter provides a detailed explanation of the device registration process.

Purpose of Device Registration

Device registration establishes a device identity in Azure Entra ID, enabling administrators to:

• Apply conditional access policies.
• Track device compliance.
• Enable secure access to enterprise resources.

For Linux environments, Himmelblau facilitates device registration, bridging a gap previously filled by proprietary tools on other platforms.

Workflow for Device Registration

Himmelblau’s device registration process adheres to the MS-DRS protocol. Below is a detailed step-by-step breakdown:

1. Initiating the Registration Process:

   • At authentication time, when the first user logs in, Himmelblau triggers the device registration process in himmelblaud.
   • The daemon initiates an OAuth2 flow with Azure Entra ID to authenticate the user or service account performing the registration.

2. Retrieving Enrollment Information:

   • Himmelblau queries Azure Entra ID’s Device Registration Discovery Service to retrieve the appropriate enrollment endpoints.
   • The discovery service provides URLs for submitting registration requests and obtaining required metadata.

3. Generating the Device Certificate Request:

   • Himmelblau generates a Certificate Signing Request (CSR) using software-based keys and stores them securely.
   • The CSR includes the following details:
     • Public Key: A transport key generated by Himmelblau.
     • Device Attributes: Information such as the operating system version and device type.
     • Nonce: Obtained from the discovery service to ensure request integrity.

4. Submitting the Registration Request:

   • The CSR and associated metadata are submitted to Azure Entra ID via the JoinEndpoint URL.
   • Himmelblau includes additional attributes such as device display name and join type (e.g., Azure AD join or hybrid join).

5. Receiving the Device Certificate:

   • Azure Entra ID validates the registration request and issues an X.509 device certificate.
   • The certificate is signed by Azure Entra ID’s Certificate Authority and contains the Device Id (A unique identifier for the registered device).

6. Storing the Device Certificate:

   • Himmelblau securely stores the device certificate and associated keys in a local secure storage mechanism, such as Soft HSM.
   • This ensures the certificate is accessible for future authentication requests.

7. Completing the Registration:

   • Once the certificate is stored, Himmelblau updates the device’s status in Azure Entra ID.
   • The device is now visible in the Azure portal, and administrators can monitor activity.

Summary

Himmelblau’s implementation of the MS-DRS protocol ensures seamless device registration with Azure Entra ID, establishing a secure and compliant foundation for managing Linux devices. By automating key steps and leveraging robust cryptographic mechanisms, Himmelblau simplifies a traditionally complex process. In the next chapter, we will explore best practices for optimizing Himmelblau deployments in enterprise environments.

Installing Himmelblau

Overview

Installing Himmelblau is the first step toward integrating Azure Entra ID with Linux systems. This chapter provides a detailed guide for setting up Himmelblau on various supported Linux distributions. By the end of this chapter, you will have a functioning Himmelblau installation configured for your environment.

Supported Distributions

Himmelblau supports a wide range of Linux distributions, including:

• Enterprise Distributions: SUSE Linux Enterprise, Red Hat Enterprise Linux, Rocky Linux.
• Community Distributions: Ubuntu, Debian, Fedora, and openSUSE.

This diversity ensures that organizations can adopt Himmelblau regardless of their preferred Linux environment.

Pre-Installation Requirements

Before installing Himmelblau, ensure that the following prerequisites are met:

1. System Updates:

   • Update the system packages to their latest versions.

     sudo apt update && sudo apt upgrade  # For Debian-based systems
     sudo dnf update                     # For Red Hat-based systems
     sudo zypper update                  # For SUSE-based systems
     

2. Azure Entra ID Preparation:

   • Verify that the Azure Entra ID tenant is configured for device registration and authentication.
   • Ensure you have appropriate permissions to add devices to the tenant.

Installation Instructions

Follow these steps to install Himmelblau:

Debian/Ubuntu

1. Download the Packages:

   • Obtain the latest Himmelblau .deb packages from the official repository.

2. Install the Packages:

   • Use dpkg to install Himmelblau and its components.

   sudo dpkg -i himmelblau_0.8.2-debian12_amd64.deb \
               himmelblau-sshd-config_0.8.2-debian12_amd64.deb \
               himmelblau-sso_0.8.2-debian12_amd64.deb \
               nss-himmelblau_0.8.2-debian12_amd64.deb \
               pam-himmelblau_0.8.2-debian12_amd64.deb
   

3. Resolve Dependencies:

   • Run the following command to install missing dependencies.

   sudo apt --fix-broken install
   

Red Hat/Rocky Linux/Fedora

1. Download the RPM Packages:

   • Obtain the latest Himmelblau RPMs from the official repository.

2. Install the Packages:

   • Use dnf to install Himmelblau.

   sudo dnf install ./himmelblau-0.8.2-1.x86_64-rocky8.rpm \
                   ./himmelblau-sshd-config-0.8.2-1.x86_64-rocky8.rpm \
                   ./himmelblau-sso-0.8.2-1.x86_64-rocky8.rpm \
                   ./nss-himmelblau-0.8.2-1.x86_64-rocky8.rpm \
                   ./pam-himmelblau-0.8.2-1.x86_64-rocky8.rpm
   

SUSE/OpenSUSE

1. Download the RPM Packages:

   • Obtain the Himmelblau RPMs for SUSE from the official repository.

2. Install the Packages:

   • Use zypper to install Himmelblau.

   sudo zypper install ./himmelblau-0.8.2-1.x86_64-sle15sp6.rpm \
                      ./himmelblau-sshd-config-0.8.2-1.x86_64-sle15sp6.rpm \
                      ./himmelblau-sso-0.8.2-1.x86_64-sle15sp6.rpm \
                      ./nss-himmelblau-0.8.2-1.x86_64-sle15sp6.rpm \
                      ./pam-himmelblau-0.8.2-1.x86_64-sle15sp6.rpm
   

Post-Installation Steps

1. Configuration:

   • Himmelblau services should not be started until after configuration is complete, which will be covered in the next chapter.

2. Disable Name Service Caching (Optional):

   • Disable nscd to ensure up-to-date user and group information.

     sudo systemctl disable nscd
     sudo systemctl stop nscd
     

Chapter Summary

This chapter covered the steps required to install Himmelblau on various Linux distributions, ensuring compatibility and optimal setup. The next chapter will focus on configuring Himmelblau to meet organizational requirements.

Configuring Himmelblau

Overview

After installing Himmelblau, the next step is configuring it to integrate seamlessly with your Azure Entra ID environment. This chapter provides a detailed guide to configuring Himmelblau, including editing its configuration file, setting up domain and user options, and preparing it for production use. Once configuration is complete, the required daemons can be started to activate Himmelblau.

Configuration File

The main configuration file for Himmelblau is located at:

/etc/himmelblau/himmelblau.conf

This file controls essential settings, including domains, user authentication policies, and logging.

Sample Configuration

Below is an example configuration file:

[global]
domains = contoso.onmicrosoft.com
pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12
id_attr_map = name
home_attr = CN
home_alias = CN
use_etc_skel = true

Key Configuration Options

1. Domains:

   • Specifies the Azure Entra ID domains allowed to authenticate.

   • Example:

     domains = contoso.onmicrosoft.com
     

2. Group Filtering:

   • Use pam_allow_groups to restrict authentication to specific Azure Entra ID groups.

   • Example:

     pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12
     

3. Home Directory Options:

   • Configure attributes for home directory creation.

   • Example:

     home_attr = CN
     home_alias = CN
     use_etc_skel = true
     

4. Logging:

   • Adjust logging levels for debugging.

   • Example:

     debug = true
     

Configuring NSS and PAM

Himmelblau integrates with NSS and PAM for user and group management. Ensure the following configurations are applied:

NSS Configuration

Edit /etc/nsswitch.conf to include Himmelblau:

passwd:    files systemd himmelblau
shadow:    files himmelblau
group:     files systemd himmelblau

PAM Configuration

Himmelblau’s PAM module can be configured automatically using distribution-specific tools, through the aad-tool utility (v1.0.0+), or manually for advanced customization. This configuration enables systems to authenticate users using their Azure Entra ID credentials through PAM.

1. Automatic Configuration:

   • On Ubuntu/Debian, use the pam-auth-update utility:

     sudo pam-auth-update

     Ensure the Azure authentication checkbox is enabled. After saving, verify that PAM files were updated correctly.

   • On openSUSE Tumbleweed or SUSE Linux Enterprise, use:

     pam-config --add --himmelblau

2. Configuration Using aad-tool (Himmelblau 1.0.0 and above):

   The aad-tool configure-pam command helps inject recommended PAM directives into the appropriate configuration files.

   By default, it performs a dry run — showing the changes it would make without modifying any files:

   sudo aad-tool configure-pam

   To apply the changes, use the --really flag:

   sudo aad-tool configure-pam --really

   To view verbose output, add --debug:

   sudo aad-tool configure-pam --really --debug

   You can optionally specify custom target files instead of using the default files in /etc/pam.d:

   • --auth-file <PATH> – Target file for the auth stack (e.g., common-auth)
   • --account-file <PATH> – Target file for the account stack
   • --session-file <PATH> – Target file for the session stack
   • --password-file <PATH> – Target file for the password stack

   This is especially useful for testing or containerized environments where you don’t want to touch live PAM files:

   sudo aad-tool configure-pam \
     --auth-file ./test_pam/common-auth \
     --account-file ./test_pam/common-account \
     --session-file ./test_pam/common-session \
     --password-file ./test_pam/common-password
       

3. Manual Configuration:

   For full control, you may manually configure the PAM stack. Ensure that pam_himmelblau.so is placed before pam_unix.so in common-auth, and always after modules like pam_localuser.so. This is important for Hello for Business and passwordless logins. Use the ignore_unknown_user option to prevent errors for local-only accounts.

   • /etc/pam.d/common-auth:

     auth        required      pam_env.so
     auth        [default=1 ignore=ignore success=ok] pam_localuser.so
     auth        sufficient    pam_himmelblau.so ignore_unknown_user
     auth        sufficient    pam_unix.so nullok try_first_pass
     auth        required      pam_deny.so
             

   • /etc/pam.d/common-account:

     account    [default=1 ignore=ignore success=ok] pam_localuser.so
     account    sufficient    pam_himmelblau.so ignore_unknown_user
     account    sufficient    pam_unix.so
     account    required      pam_deny.so
             

   • /etc/pam.d/common-session:

     session optional    pam_systemd.so
     session required    pam_limits.so
     session optional    pam_unix.so try_first_pass
     session optional    pam_umask.so
     session optional    pam_himmelblau.so
     session optional    pam_env.so
             

   • /etc/pam.d/common-password:

     password    sufficient    pam_himmelblau.so ignore_unknown_user
     password    optional      pam_gnome_keyring.so use_authtok
     password    sufficient    pam_unix.so use_authtok nullok shadow try_first_pass
     password    required      pam_deny.so
             

Starting Himmelblau Services

Once the configuration is complete, enable and start the Himmelblau daemons to activate the service:

sudo systemctl enable himmelblaud himmelblaud-tasks
sudo systemctl start himmelblaud himmelblaud-tasks

Verification

1. Service Status:

   • Verify that the Himmelblau daemons are running:

     systemctl status himmelblaud
     systemctl status himmelblaud-tasks
     

2. NSS User Resolution:

   • Check that NSS resolves Azure Entra ID users correctly:

     getent passwd user@domain.onmicrosoft.com
     

3. Test Authentication:

   • Attempt to log in with a user account from Azure Entra ID:

     su -l user@domain.onmicrosoft.com
     

4. Check Logs:

   • Inspect the logs for any errors:

     sudo journalctl -u himmelblaud -u himmelblaud-tasks
     

   • Verify that the Himmelblau daemons are running:

     systemctl status himmelblaud
     systemctl status himmelblaud-tasks
     

Summary

This chapter covered configuring Himmelblau to integrate with Azure Entra ID, setting up NSS and PAM, and starting the necessary services. By following these steps, you’ll ensure a secure and functional deployment. The next chapter will address advanced configurations and optimization techniques.

Troubleshooting Common Issues

Overview

While Himmelblau is designed for seamless integration, issues may arise during deployment or operation. This chapter covers common problems and their resolutions, focusing on MFA-related SSH authentication issues and techniques for debugging authentication traffic.

Resolving MFA Problems with SSH

SSH authentication involving Azure Entra ID MFA can present challenges, especially when using interactive prompts. Below are some common issues and solutions:

Problem: MFA Prompt Not Displayed in SSH Sessions

Symptoms: Users attempting to authenticate via SSH do not see the MFA prompt or entropy code. Authentication eventually times out or fails.

Solution:

1. Enable Keyboard-Interactive Authentication:

   • Verify that AuthenticationMethods in the SSH daemon configuration includes keyboard-interactive:pam.
   • Edit /etc/ssh/sshd_config:

     AuthenticationMethods keyboard-interactive:pam
     KbdInteractiveAuthentication yes
     UsePAM yes
     

   • Restart the SSH service:

     sudo systemctl restart sshd
     

2. Verify PAM Configuration:

   • Ensure that pam_himmelblau.so is configured in the PAM stack for auth and account.
   • Example for /etc/pam.d/sshd:

     auth    required    pam_himmelblau.so
     account required    pam_himmelblau.so
     

3. Test Locally:

   • Log in locally to confirm that MFA prompts function correctly. This can help isolate SSH-specific issues:

     su -l user@domain.onmicrosoft.com
     

4. Check Logs:

   • Inspect the SSH and Himmelblau logs for errors:

     sudo journalctl -u sshd -u himmelblaud
     

Problem: SSH Hangs After Entering Password

Symptoms: Users successfully enter their password, but the session hangs instead of displaying the MFA prompt.

Solution:

• This issue is linked to OpenSSH Bug 2876, which affects how SSH handles interactive MFA prompts. Use the mfa_poll_prompt option to resolve this issue:
  1. Edit the PAM configuration for Himmelblau (e.g., /etc/pam.d/sshd) to include:

     auth    required    pam_himmelblau.so mfa_poll_prompt
     account required    pam_himmelblau.so
     

  2. Restart the SSH service to apply changes:

     sudo systemctl restart sshd
     

  3. Test SSH authentication again to confirm the issue is resolved.

Debugging Authentication Traffic

Effective debugging is essential for resolving complex authentication issues. Himmelblau supports various methods for capturing and analyzing authentication traffic.

Using cirrus-scope with mitmproxy

The cirrus-scope tool, in conjunction with mitmproxy, allows for comprehensive testing and debugging of Azure Entra ID authentication flows.

Steps:

1. Download and Install cirrus-scope:

   • Visit the Himmelblau downloads page: https://himmelblau-idm.org/downloads.html
   • Select your Linux distribution from the list provided. If your distribution isn't listed, you can file an enhancement request.
   • Follow the on-screen instructions to download and install the appropriate package for your system.

2. Download and Extract mitmproxy:

   • Download mitmproxy from their official website and extract the binaries:

     tar -xf mitmproxy-11.0.0-linux-x86_64.tar.gz
             

3. Start mitmweb:

   • Run the following command to start mitmweb:

     ./mitmweb
             

     This starts mitmweb and opens a web interface for monitoring HTTP and HTTPS traffic.

4. Install the mitmproxy CA Certificate:

   • On Ubuntu:

     sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy.crt
     sudo update-ca-certificates
             

   • On Fedora:

     sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /etc/pki/ca-trust/source/anchors/
     sudo update-ca-trust
             

   • On openSUSE Leap:

     sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /usr/share/pki/trust/anchors/mitmproxy.crt
     sudo update-ca-certificates
             

5. Access the Web Interface:

   • Open your web browser and navigate to:

     http://127.0.0.1:8081/
             

     You should see the mitmweb dashboard for viewing captured traffic.

6. Run cirrus-scope with Proxy Enabled:

   • Execute the desired test command from cirrus-scope, routing its traffic through mitmproxy by setting the HTTPS_PROXY environment variable. For example:

     HTTPS_PROXY=http://127.0.0.1:8080 cirrus-scope auth-test --name your_user@example.com
             

     You will be prompted to enter credentials interactively. For detailed logs, add the --debug flag:

     HTTPS_PROXY=http://127.0.0.1:8080 cirrus-scope auth-test --name your_user@example.com --debug
             

     Other available test commands include:
     • enrollment-test: Simulates device enrollment
     • refresh-token-acquire: Acquires new access tokens using a refresh token
     • provision-hello-key-test: Tests Hello for Business key provisioning

7. Capture and Save the HAR File:

   • In the mitmweb dashboard, click on the "File" drop-down menu, then select "Save". Your browser will download a file called 'flows'.
   • Important: Search the contents of the file for your password, as it will be present. Remove this password before sharing the file.
   • If the authentication was successful, there will also be a valid access token and refresh token present. These should also be removed or obfuscated. Search the file for JSON keys such as 'refresh_token' and 'access_token'.

Summary

This section provided guidance on debugging authentication traffic using tools like cirrus-scope and mitmproxy. These troubleshooting techniques ensure that Himmelblau operates smoothly and securely in your environment. The next section will explore future directions and enhancements for Himmelblau.