Kerberos

Kerberos Client Configuration

Authentication Configuration

  • Run the following command on your redhat based distribution to enable kerberose/netID authentication 
    /usr/bin/authconfig --kickstart --disablecache --enablemd5 \
--enableldap --ldapserver "ldap.duke.edu" --ldapbasedn \
"ou=People,dc=duke,dc=edu" --enablekrb5 --krb5realm "ACPUB.DUKE.EDU" \
--krb5kdc "kaserv1.acpub.duke.edu:88,kaserv2.acpub.duke.edu:88" \
--krb5adminserver "kaserv1.acpub.duke.edu:749"
  • Sample /etc/krb5.conf file 
    ######
# KRB for linux connections
######

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 600
 default_realm = ACPUB.DUKE.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 ACPUB.DUKE.EDU = {
    kdc = kaserv1.acpub.duke.edu:88
    kdc = kaserv2.acpub.duke.edu:88
    admin_server = kaserv1.acpub.duke.edu:749
    default_domain = duke.edu
 }

[domain_realm]
  .duke.edu = ACPUB.DUKE.EDU
  .oit.duke.edu = ACPUB.DUKE.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
   afs_cells = acpub.duke.edu
 }

##
##

ACPUB.DUKE.EDU = {
                kdc = kaserv1.acpub.duke.edu:88
                kdc = kaserv2.acpub.duke.edu:88
                kdc = kaserv3.acpub.duke.edu:88
                default_domain = duke.edu
                string_to_key_type=mit_string_to_key
        }

[v4_domain_realm]
        .duke.edu = ACPUB.DUKE.EDU
        .oit.duke.edu = ACPUB.DUKE.EDU
        .acpub.duke.edu = ACPUB.DUKE.EDU
  • Sample /etc/ldap.conf file (for user information) 
    host ldap.duke.edu

# The distinguished name of the search base.
base dc=duke,dc=edu

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

# needed to make lookups work for users who have their privacy flag set
nss_map_attribute       gecos   uid
  • Sample /etc/nsswitch.conf 
    #
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#   nis or yp       Use NIS (NIS version 2), also called YP
#   dns         Use DNS (Domain Name Service)
#   files           Use the local files
#   db          Use the local database (.db) files
#   compat          Use NIS on compat mode
#   hesiod          Use Hesiod for user lookups
#   ldap            Use LDAP (only if nss_ldap is installed)
#   nisplus or nis+     Use NIS+ (NIS version 3), unsupported
#   [NOTFOUND=return]   Stop searching if not found so far
#

passwd:     files ldap
shadow:     files ldap
group:      files 

hosts:      files dns

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files

    •  

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>