Kerberos Authentication setup
Install the following packages
up2date krb5-workstation
update the contents of /etc/krb5.conf to the following.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_keytab_file = /usr/local/apache2/conf/devwiki.HTTP.keytab
[libdefaults]
default_realm = DOMAIN.LOCAL
ticket_lifetime = 24h
forwardable = yes
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = ad1.domain.local
admin_server = ad1.domain.local
default_domain = domain.local
}
[domain_realm]
wiki.dev = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
external = sshd
use_shmem = sshd
}
nano /etc/hosts
make sure “10.1.xxx.xxx ad1.domain.local ad1” is in the hosts file.
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 dv1.domain.local dv1 localhost.localdomain localhost 10.1.200.101 ad1.domain.local ad1
Test that Kerberos is authenticating to AD1.domain.local
[root@dv1 conf]# kinit aduser@DOMAIN.LOCAL Password for aduser@DOMAIN.LOCAL: [root@dv1 conf]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: aduser@DOMAIN.LOCAL Valid starting Expires Service principal 07/20/09 23:34:26 07/21/09 09:34:34 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 07/21/09 23:34:26 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@dv1 conf]# kdestroy [root@dv1 conf]#
update pam system-auth “nano /etc/pam.d/system-auth”
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so
Test changes to /etc/pam.d/system-auth
You will need to add a local user to the system first, before it will authenticate that user against Active Directory.
adduser aduser
passwd aduser
[root@dv1 conf]# ssh aduser@localhost ******************************************************************************** * * * ---------------------- * * WARNING * * AUTHORISED USERS ONLY! * * ---------------------- * * * * * * The information on this computer and network is the intellectual property * * of a private corporation and is protected by intellectual property rights. * * * * You must be assigned an account on this computer to access information * * and must only access information as defined by the system administrators. * * * * Your activities may be monitored. Use of this computer implies consent to * * monitoring. * * * ******************************************************************************** aduser@localhost's password: Last login: Mon Jul 20 02:54:31 2009 from 10.1.200.150 [aduser@dv1 ~]$
Popularity: 7% [?]