To configure Kerberos to work with PAM on a standard Solaris system involves merely creating `/etc/krb5/krb5.conf`. An identical file can be used on Linux systems, but is called `/etc/krb5.conf`. To get it to work with PAM means editing `/etc/pam.conf` (Solaris) or, for example, `/etc/pam.d/system-auth` (Linux).

Configuring Kerberos

Following is an example of a valid krb5.conf file, for use with NEXUS:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = NEXUS.UWATERLOO.CA
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes
        default_keytab_name = FILE:/etc/krb5/krb5.keytab

[realms]
        NEXUS.UWATERLOO.CA = {
                kdc = nexus.uwaterloo.ca:88
                kdc = nexus.uwaterloo.ca
                admin_server = nexus.uwaterloo.ca:749
                default_domain = nexus.uwaterloo.ca
                verify_ap_req_nofail = false
        }

[domain_realm]
        .uwaterloo.ca = NEXUS.UWATERLOO.CA
        uwaterloo.ca = NEXUS.UWATERLOO.CA

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

You can test this configuration by running kinit -- you should be able to get a ticket from the NEXUS server. Running klist shows your tickets.

Configuring PAM

Note that both Solaris and Linux support a debug option that can be added to the right of the Kerberos config line in the PAM config file, and which will increase syslog logging verbosity (but is not shown here).

Linux

There are perhaps different ways to get this going. There are packages that will modify the services as required. For example you may be able to just

sudo yum install libpam-krb5

Alternatively, you need to edit either the specific service file under /etc/pam.d for the service in question, or to enable Kerberos for all services that include the default system-auth, you edit the latter file, by adding a line similar to the following:

auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100

The use_first_pass is important, and differs from the Solaris configuration. So the full auth section could look like this:

Solaris

You need to add a line to /etc/pam.conf similar to the following, for whatever service you are configuring (login, in this example):

So a fully configured login section could look something like this:

Need Help?

Contact rt-ist-unix@rt.uwaterloo.ca.

Article feedback

If you’d like to share any feedback about this article, please let us know.

IST Knowledge Base

Configuring Kerberos and PAM