krb5_authentication

Home Linux Distros Redhat

/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [[default=bad success=ok user_unknown=ignore]] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=1 ucredit=1 ocredit=-1 lcredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [[success=1 default=ignore]] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so


/etc/krb5.conf

[[logging]]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[[libdefaults]]
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 default_realm = <MYDOMAIN.COM>
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[[realms]]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  kdc = kerberos2.example.com
  admin_server = kerberos.example.com
 }

 <MYDOMAIN.COM> = {
 }

[[domain_realm]]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 <mydomain.com> = <MYDOMAIN.COM>
 .<mydomain.com> = <MYDOMAIN.COM>

To force authentication with a read only kdc in /etc/krb5.conf specify it as the kdc and admin server just like in the EXAMPLE.COM

Command to enable krb5 authentication

authconfig --enablekrb5 --krb5realm=<MYDOMAIN.COM> --enablekrb5kdcdns --update


Test connection with kinit. Uses port 88

kinit <myuser>@<MYDOMAIN.COM>
#Important to use uppercase domain