7. Client configuration - contacting the KDC for authentication

7. Client configuration - contacting the KDC for authentication
Prev		Next

7.1. Centralized authentication configuration

In order to provide centralized authentication we must configure every client in our network to make use of the authentication services offered by our Kerberos/OpenLDAP server.

7.1.1. PAM

First of all we must configure PAM, editing the file /etc/pam.d/system-auth:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_krb5.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass nullok
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_krb5.so
account    required     /lib/security/pam_unix.so

password   sufficient   /lib/security/pam_krb5.so
password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so use_authtok md5 shadow nullok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_krb5.so
session    required     /lib/security/pam_unix.so

Important

There are two problems related to expired passwords and ssh. Trying to solve them.

Note

We may configure the system so the home directory of an user gets created on her first login. To do so we must add the following line:

session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

in the services that imply console access to a machine, as in /etc/pam.d/login, /etc/pam.d/sshd, /etc/pam.d/su, /etc/pam.d/xdm.

7.1.2. LDAP access

Next we edit the file /etc/ldap.conf. nss_ldap takes its configuration from this file in order to obtain users and groups information:

host ldap.example.local
base dc=example,dc=com
binddn cn=nssproxy@example.com,ou=kerberos,dc=example,dc=com
bindpw nssproxyPassword
scope sub
pam_filter objectClass=posixAccount
nss_base_passwd         ou=people,dc=example,dc=com
nss_base_group          ou=group,dc=example,dc=com
ssl start_tls
tls_cacertdir /etc/ssl/certs

Now let's make sure nobody else may read this so the NSS proxy password cannot be stolen:

server root # chmod 640 /etc/ldap.conf

7.1.3. NSS configuration

Next we edit /etc/nsswitch.conf, changing the lines shown below:

#passwd:      compat
#shadow:      compat
#group:       compat
passwd:      files ldap
shadow:      files
group:       files ldap

Note

We only access LDAP to obtain passwd (uid, uidNumber, gidNumber, homeDirectory, ...) and group (gidNumber, memberUid,...) information. The shadow information is not used, as the password policy is now controlled by Kerberos.

7.2. SSH configuration

I MUST CHECK THIS !!!! SINGLE SIGN ON... We must activate the following option in the file /etc/ssh/ssh_config, in every machine of out network that may use ssh to connect to another one:

GSSAPIAuthentication yes
ANY OTHER GSSAPI OPTION NEEDED?????

Prev	Up	Next
6. Server configuration - creating the Kerberos realm	Home	8. User management