Kerberos Client Configuration on Debian Derivatives

Install the kerberos client packages 

apt-get install krb5-user libpam-krb5

Copy the /etc/krb5.conf from the server. You should double-check the kdc and admin_server lines.

Edit the pam configuration to tell linux to ask kerberos for authentication. There are four files, /etc/pam.d/common-{account,auth,password,session}.

Keep a session logged in as root until you verify that you can still login after making these changes! 

# /etc/pam.d/common-account - authorization settings common to all services
account    sufficient    pam_unix.so
account    sufficient    pam_krb5.so
account    required    pam_deny.so

# /etc/pam.d/common-auth - authentication settings common to all services
auth    sufficient    pam_unix.so nullok_secure
auth    sufficient    pam_krb5.so use_first_pass
auth    required    pam_deny.so

# /etc/pam.d/common-password - password-related modules common to all services
password    sufficient    pam_unix.so nullok obscure min=4 max=8 md5
password    sufficient    pam_krb5.so use_first_pass
password    required    pam_deny.so

# /etc/pam.d/common-session - session-related modules common to all services
session    optional    pam_unix.so
session    optional    pam_krb5.so

You should now be able to authenticate using kerberos. Remember that you will still need create accounts, i.e. useradd, before you will be able to login.

Important note: Make sure that the machine can resolve its hostname to an IP address. This is as simple as adding an entry to /etc/hosts.

Posted by Tyler Lesmann on October 6, 2008 at 14:18
Tagged as: debian kerberos linux
Reddit Digg Slashdot del.icio.us YCombinator DZone Google StumbleUpon Facebook TwitThis Ping.fm email Print
Post a comment