References:
MIT Kerberos
The following RPM's will need to be loaded:
krb5-libs
pam_krb5
krb5-workstation (optional for using commands like kinit, klist, kdestroy, kpasswd)
The /etc/krb5.conf should look something like this depending on your Domain/Realm:
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_realm = IOWA.UIOWA.EDU default_keytab_name = FILE:/etc/krb5.keytab [domain_realm] uiowa.edu = IOWA.UIOWA.EDU its.uiowa.edu = IOWA.UIOWA.EDU iowa.uiowa.edu = IOWA.UIOWA.EDU [logging] default = FILE:/var/log/krb5lib.log [appdefaults] pam = { debug=false minimum_uid=15 }
The PAM configuration usually just means updating
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
Here are our versions which work on a RHEL6 system
/etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so retry=3 type= minlen=6 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
/etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so retry=3 type= minlen=6 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
We recommend using the minimum_uid setting of 15, as that will not allow any of the system-level accounts in Red Hat to be authenticated against AD. There might also be some other applications that have PAM configuration files that do not reference the system-auth or password-auth module.
These PAM config files should be generic enough to work for most applications, but some may require other settings.