# The user and group nslcd should run as.
We demand that the server provide a valid certificate by setting “ tls_reqcert hard“. We set this at the end and tell the service where it can find the CA certificate to verify the SSL certificate that the LDAP server provides to us. However, we have enforced that connections need to connect either through TLS or the SSL port.
Also, we’re not going to support password modifications by root since our passwords are in the Kerberos Database. Our server is configured to support anonymous binds, so we don’t need to set a bind DN and bind password. We configure the service to connect to our ldap server with the proper base. Additionally, we need to setup nslcd which will perform LDAP lookups for us. These were the same 3 files that we can map our LDAP attributes onto previously when we created out network accounts. The values for passed, shadow, and group are updated to query the LDAP server in addition to the local flat files. The Name Service Switch module needs to have it’s configuration file, /etc/nf, updated. The package libnss-ldapd needs to be installed. Once the kerberos client has been configured, you should be able to get a ticket from the KDC: $ kinit user1ĭefault principal: starting Expires Service principalĠ9/12/15 23:33:57 09/13/15 09:33:57 until 09/13/15 23:33:51Ĭonnecting to the LDAP server is also easy.
Also, I’m not using the credential cache which the update added (and thus locks out accounts if it’s not installed beforehand). The pam update as described in the documentation from the server guide will overwrite the original PAM modules, in which case I lose the changes that I’ve already made to the PAM configurations. The configuration for PAM doesn’t follow the official Ubuntu LTS configuration. /etc/pam.d/common-session-noninteractive.Session optional pam_krb5.so minimum_uid=10000įor the session and the next one (session-noninteractive), it will attempt to open a kerberos session. # umask settings with different shells, display managers, remote sessions etc. # /etc/fs and user settings, solving the problem of different # The pam_umask module will set the umask according to the system default in Otherwise, we try with the local unix method. We first attempt to update the password through kerberos if the user ID number is at least 10000. Password pam_unix.so obscure use_authtok try_first_pass sha512 If that succeeds, then we jump to pam_permit. If it fails (which will happen for user ID numbers less than 10000), we attempt to authenticate using the local unix method. If it succeeds, then we jump to pam_permit.so. We first attempt to authenticate using kerberos for accounts with a user ID of at least 10000.
# This avoids us returning an error just because nothing sets a sucess code # Prime the stack with a positive return value if there isn't ine already # Here is the fall back if nothing succeeds # Attempt to auth using kerberos if uid above 10000Īuth pam_krb5.so minimum_uid=10000 ignore_rootĪuth pam_unix.so try_first_pass nullok_secure We ensure that the kerberos account is valid if the user account is at least the minimum user ID.
# since the modules above will each just jump around # this avoids us returning an error just because nothing sets a success code # prime the stack with a positive return value if there isn't one already # here's the fallback if no module succeeds I’ve updated these PAM files:Īccount required pam_krb5.so minimum_uid=10000Īccount pam_unix.so Local accounts on machines are below 10000. I’ve assigned all kerberos network accounts with a user ID of 10000 or higher. Once the module and the configuration file are installed, the pam_krb5 module needs to be added to the PAM profile. This is the same file that we used to setup the KDC and admin server, but without the logging information.
sudo apt-get install libpam-krb5Ī proper kerberos configuration file also needs to be created in /etc/nf. The module is in the package libpam_krb5 for Ubuntu. Once principals are added to the Keberos Database, and the account information is added to the LDAP directory, then the client Linux machines can be configured to access the information and allow for network accounts to be used.Įnabling Kerberos authentication for Linux machines consists of configuring the proper PAM module.