To configure Kerberos to work with PAM on a standard Solaris system involves merely creating /etc/krb5/krb5.conf. An identical file can be used on Linux systems, but is called /etc/krb5.conf. To get it to work with PAM means editing /etc/pam.conf (Solaris) or, for example, /etc/pam.d/system-auth (Linux).

Configuring Kerberos

Also on this page: Configuring PAM

Following is an example of a valid krb5.conf file, for use with NEXUS:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = NEXUS.UWATERLOO.CA
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes
        default_keytab_name = FILE:/etc/krb5/krb5.keytab

[realms]
        NEXUS.UWATERLOO.CA = {
                kdc = nexus.uwaterloo.ca:88
                kdc = nexus.uwaterloo.ca
                admin_server = nexus.uwaterloo.ca:749
                default_domain = nexus.uwaterloo.ca
                verify_ap_req_nofail = false
        }

[domain_realm]
        .uwaterloo.ca = NEXUS.UWATERLOO.CA
        uwaterloo.ca = NEXUS.UWATERLOO.CA

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

You can test this configuration by running kinit -- you should be able to get a ticket from the NEXUS server. Running klist shows your tickets.

Configuring PAM

Note that both Solaris and Linux support a debug option that can be added to the right of the Kerberos config line in the PAM config file, and which will increase syslog logging verbosity (but is not shown here).

Linux

There are perhaps different ways to get this going. There are packages that will modify the services as required. For example you may be able to just

sudo yum install libpam-krb5

Alternatively, you need to edit either the specific service file under /etc/pam.d for the service in question, or to enable Kerberos for all services that include the default system-auth, you edit the latter file, by adding a line similar to the following:

auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100

The use_first_pass is important, and differs from the Solaris configuration. So the full auth section could look like this:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

Solaris

You need to add a line to /etc/pam.conf similar to the following, for whatever service you are configuring (login, in this example):

login   auth sufficient         pam_krb5.so.1

So a fully configured login section could look something like this:

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth sufficient         pam_dial_auth.so.1
login   auth sufficient         pam_krb5.so.1

Related articles

• Page:
  How to install and connect to the VPN -Linux/Ubuntu
• Page:
  Configuring Microsoft 365 Integration for Linux
• Page:
  How to Connect to the eduroam Wireless Network - Linux - Ubuntu