PAM with Kerberos

xKintaro · 05-29-2009, 12:46 PM

I have joined a CentOS machine onto my Kerberos realm and set up authentication with the GUI tool. I am wondering how exactly I go about logging in using Kerberos credentials rather than with my local system account in /etc/passwd with /bin/login, ssh, and GDM, etc.

irishbitte · 05-29-2009, 08:27 PM

You login exactly the same as a local user would, using relevant user and password info from your kerberos realm. You may need to reboot the CentOS machine to get it to pull a ticket correctly from you realm, before you login.

xKintaro · 05-29-2009, 08:51 PM

I forgot to mention, what about with winbind?

xKintaro · 05-29-2009, 10:24 PM

It is not working, I can't work out why.

custangro · 05-29-2009, 11:23 PM

Quote:

Originally Posted by xKintaro

It is not working, I can't work out why.

Any logs? Conf files?

Post logs and any relevant configurations files...you haven't provided enough information for us to help you...

-C

xKintaro · 05-30-2009, 12:12 AM

Code:

[root@lambda ~]# cat /etc/pam.d/system-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

I just made some changes to krb5.conf because the config file was filled with problems, seems like system-config-auth has some bugs. It might work now but I've not tested yet.

Code:

[root@lambda ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ACROPOLIS.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 
ACROPOLIS.LOCAL = {
  admin_server = delta.acropolis.local:749
  kdc = delta.acropolis.local
  kdc = epsilon.acropolis.local
 }

 ACROPOLIS.LOCAL = {
 }

[domain_realm]
 .acropolis.local = ACROPOLIS.LOCAL
 acropolis.local = ACROPOLIS.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Please specify anything else you might need.

xKintaro · 05-30-2009, 12:20 AM

Just noticed that /var/kerberos does not exist. Is that normal?