/etc/krb5/krb5.conf
. An identical file can be used on Linux systems, but is called /etc/krb5.conf
. To get it to work with PAM means editing /etc/pam.conf
(Solaris) or, for example, /etc/pam.d/system-auth
(Linux).Also on this page: Configuring PAM
Following is an example of a valid krb5.conf
file, for use with NEXUS:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = NEXUS.UWATERLOO.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes default_keytab_name = FILE:/etc/krb5/krb5.keytab [realms] NEXUS.UWATERLOO.CA = { kdc = nexus.uwaterloo.ca:88 kdc = nexus.uwaterloo.ca admin_server = nexus.uwaterloo.ca:749 default_domain = nexus.uwaterloo.ca verify_ap_req_nofail = false } [domain_realm] .uwaterloo.ca = NEXUS.UWATERLOO.CA uwaterloo.ca = NEXUS.UWATERLOO.CA [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } |
You can test this configuration by running kinit
-- you should be able to get a ticket from the NEXUS server. Running klist
shows your tickets.
Note that both Solaris and Linux support a debug
option that can be added to the right of the Kerberos config line in the PAM config file, and which will increase syslog logging verbosity (but is not shown here).
There are perhaps different ways to get this going. There are packages that will modify the services as required. For example you may be able to just
sudo yum install libpam-krb5 |
Alternatively, you need to edit either the specific service file under /etc/pam.d
for the service in question, or to enable Kerberos for all services that include the default system-auth
, you edit the latter file, by adding a line similar to the following:
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100 |
The use_first_pass
is important, and differs from the Solaris configuration. So the full auth
section could look like this:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100 auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so |
You need to add a line to /etc/pam.conf
similar to the following, for whatever service you are configuring (login, in this example):
login auth sufficient pam_krb5.so.1 |
So a fully configured login section could look something like this:
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth sufficient pam_dial_auth.so.1 login auth sufficient pam_krb5.so.1 |
Related articles
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
Need Help?Contact rt-ist-unix@rt.uwaterloo.ca. |
Article feedbackIf you’d like to share any feedback about this article, please let us know. |