Archive
Tags
android (3)
ant (2)
beautifulsoup (1)
debian (1)
decorators (1)
django (9)
dovecot (1)
encryption (1)
fix (4)
gotcha (2)
hobo (1)
htmlparser (1)
imaplib (2)
java (1)
json (2)
kerberos (2)
linux (7)
lxml (5)
markdown (4)
mechanize (6)
multiprocessing (1)
mysql (2)
nagios (2)
new_features (3)
open_source (5)
optparse (2)
parsing (1)
perl (2)
postgres (1)
preseed (1)
pxe (4)
pyqt4 (1)
python (41)
raid (1)
rails (1)
red_hat (1)
reportlab (4)
request_tracker (2)
rt (2)
ruby (1)
scala (1)
screen_scraping (7)
shell_scripting (8)
soap (1)
solaris (3)
sql (2)
sqlalchemy (2)
tips_and_tricks (1)
twitter (2)
ubuntu (1)
vmware (2)
windows (1)
zimbra (2)

Install the kerberos client packages

apt-get install krb5-user libpam-krb5

Copy the /etc/krb5.conf from the server. You should double-check the kdc and admin_server lines.

Edit the pam configuration to tell linux to ask kerberos for authentication. There are four files, /etc/pam.d/common-{account,auth,password,session}.

Keep a session logged in as root until you verify that you can still login after making these changes!

# /etc/pam.d/common-account - authorization settings common to all services
account    sufficient    pam_unix.so
account    sufficient    pam_krb5.so
account    required    pam_deny.so

# /etc/pam.d/common-auth - authentication settings common to all services
auth    sufficient    pam_unix.so nullok_secure
auth    sufficient    pam_krb5.so use_first_pass
auth    required    pam_deny.so

# /etc/pam.d/common-password - password-related modules common to all services
password    sufficient    pam_unix.so nullok obscure min=4 max=8 md5
password    sufficient    pam_krb5.so use_first_pass
password    required    pam_deny.so

# /etc/pam.d/common-session - session-related modules common to all services
session    optional    pam_unix.so
session    optional    pam_krb5.so

You should now be able to authenticate using kerberos. Remember that you will still need create accounts, i.e. useradd, before you will be able to login.

Important note: Make sure that the machine can resolve its hostname to an IP address. This is as simple as adding an entry to /etc/hosts.

Posted by Tyler Lesmann on October 6, 2008 at 14:18
Tagged as: debian kerberos linux