Archive
January 2010
December 2009
November 2009
October 2009
September 2009
June 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
July 2008
June 2008
October 2007
September 2007
Tags
android (3)
ant (2)
beautifulsoup (1)
debian (1)
decorators (1)
django (9)
dovecot (1)
encryption (1)
fix (4)
gotcha (2)
hobo (1)
htmlparser (1)
imaplib (2)
java (1)
json (2)
kerberos (2)
linux (7)
lxml (5)
markdown (4)
mechanize (6)
multiprocessing (1)
mysql (2)
nagios (2)
new_features (3)
open_source (5)
optparse (2)
parsing (1)
perl (2)
postgres (1)
preseed (1)
pxe (4)
pyqt4 (1)
python (41)
raid (1)
rails (1)
red_hat (1)
reportlab (4)
request_tracker (2)
rt (2)
ruby (1)
scala (1)
screen_scraping (7)
shell_scripting (8)
soap (1)
solaris (3)
sql (2)
sqlalchemy (2)
tips_and_tricks (1)
twitter (2)
ubuntu (1)
vmware (2)
windows (1)
zimbra (2)
Entries tagged as debian
Kerberos Client Configuration on Debian Derivatives

Install the kerberos client packages 

apt-get install krb5-user libpam-krb5

Copy the /etc/krb5.conf from the server. You should double-check the kdc and admin_server lines.

Edit the pam configuration to tell linux to ask kerberos for authentication. There are four files, /etc/pam.d/common-{account,auth,password,session}.

Keep a session logged in as root until you verify that you can still login after making these changes! 

# /etc/pam.d/common-account - authorization settings common to all services
account    sufficient    pam_unix.so
account    sufficient    pam_krb5.so
account    required    pam_deny.so

# /etc/pam.d/common-auth - authentication settings common to all services
auth    sufficient    pam_unix.so nullok_secure
auth    sufficient    pam_krb5.so use_first_pass
auth    required    pam_deny.so

# /etc/pam.d/common-password - password-related modules common to all services
password    sufficient    pam_unix.so nullok obscure min=4 max=8 md5
password    sufficient    pam_krb5.so use_first_pass
password    required    pam_deny.so

# /etc/pam.d/common-session - session-related modules common to all services
session    optional    pam_unix.so
session    optional    pam_krb5.so

You should now be able to authenticate using kerberos. Remember that you will still need create accounts, i.e. useradd, before you will be able to login.

Important note: Make sure that the machine can resolve its hostname to an IP address. This is as simple as adding an entry to /etc/hosts.

Posted by Tyler Lesmann on October 6, 2008 at 14:18
Tagged as: debian kerberos linux