Configuring Kerberos and PAM

To configure Kerberos to work with PAM on a standard Solaris system involves merely creating /etc/krb5/krb5.conf. An identical file can be used on Linux systems, but is called /etc/krb5.conf. To get it to work with PAM means editing /etc/pam.conf (Solaris) or, for example, /etc/pam.d/system-auth (Linux).

Configuring Kerberos

Also on this page: Configuring PAM

 

Following is an example of a valid krb5.conf file, for use with NEXUS:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = NEXUS.UWATERLOO.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes default_keytab_name = FILE:/etc/krb5/krb5.keytab [realms] NEXUS.UWATERLOO.CA = { kdc = nexus.uwaterloo.ca:88 kdc = nexus.uwaterloo.ca admin_server = nexus.uwaterloo.ca:749 default_domain = nexus.uwaterloo.ca verify_ap_req_nofail = false } [domain_realm] .uwaterloo.ca = NEXUS.UWATERLOO.CA uwaterloo.ca = NEXUS.UWATERLOO.CA [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

You can test this configuration by running kinit -- you should be able to get a ticket from the NEXUS server. Running klist shows your tickets.

Configuring PAM

Note that both Solaris and Linux support a debug option that can be added to the right of the Kerberos config line in the PAM config file, and which will increase syslog logging verbosity (but is not shown here).

Linux

There are perhaps different ways to get this going. There are packages that will modify the services as required. For example you may be able to just

sudo yum install libpam-krb5

Alternatively, you need to edit either the specific service file under /etc/pam.d for the service in question, or to enable Kerberos for all services that include the default system-auth, you edit the latter file, by adding a line similar to the following:

auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimum_uid=100

The use_first_pass is important, and differs from the Solaris configuration. So the full auth section could look like this:

Solaris

You need to add a line to /etc/pam.conf similar to the following, for whatever service you are configuring (login, in this example):

So a fully configured login section could look something like this:

Related articles

Need Help?

Contact rt-ist-unix@rt.uwaterloo.ca.

Article feedback

If you’d like to share any feedback about this article, please let us know.

Â