LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-10-2009, 09:11 PM   #1
lldmka
LQ Newbie
 
Registered: May 2009
Posts: 3

Rep: Reputation: 0
Kerberos Authentication Process


Hi,

Can someone step me through the login process when using Kerberos authentication?

eg.
1) user enters username/paassword
2) server looks for local account (or kerberos searches AD for username)
3) etc

I am particularly interested in the root login, if it differs from a normal user - as I had an issue not being able to login as root after a power outage (with AD temporarily unavailable).

Thanks.
 
Old 05-11-2009, 04:14 PM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Well, actually kerberos works differently from what you have described above. Kerberos is a secret key authentication mechanism, whereby the client and the server hold a secret symmetric key (ticket) for some previously negotiated encryption algorithm. This link explains it in more detail: http://web.duke.edu/~rob/kerberos/kerbdetails.html. The exact spec of how AD deals with kerberos I am not sure of, but i do know you can setup AD clients to 'cache' recently authenticated sessions for exactly ther reason you talk about:
Quote:
I am particularly interested in the root login, if it differs from a normal user - as I had an issue not being able to login as root after a power outage (with AD temporarily unavailable).
 
Old 05-11-2009, 06:55 PM   #3
lldmka
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: 0
I guess my question was more specifically about the PAM login process when using Kerberos authentication to AD.

My understanding is that the first line in this PAM file initiates the Kerberos process:

account sufficient /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_unix.so

Which appears to show that for all local accounts, including root, an initial attempt will be made to authenticate with AD. Only then will the Kerberos process itself kick in (if authentication is successful).

I might try caching login details, but would prefer root to bypass the process above.
 
Old 05-11-2009, 11:55 PM   #4
lldmka
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: 0
OK, after some testing it appears that a root lockout problem I was having may not have been directly related to Kerberos authentication.

I think I now understand how the PAM login process works.
 
Old 05-12-2009, 05:51 AM   #5
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
No, the way this is laid out:
Quote:
account sufficient /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_unix.so
what happens is PAM checks if a kerberos ticket exists or can be found for root. If not, it checks local unix/linux accounts. So if you can't log in as root, where root is a local account, it's nothing to do with AD, so far as I unserstand it. YMMV.
 
  


Reply

Tags
kerberos, pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using kerberos for login authentication narendra.pant Red Hat 0 09-11-2007 03:31 PM
Kerberos authentication setup sunhui Linux - Networking 3 07-16-2006 05:34 PM
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Kerberos Authentication cwinter00 Linux - Security 1 06-16-2005 12:56 PM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM


All times are GMT -5. The time now is 07:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration