References:
MIT Kerberos

The following RPM's will need to be loaded:
krb5-libs
pam_krb5
krb5-workstation (optional for using commands like kinit, klist, kdestroy, kpasswd)

The /etc/krb5.conf should look something like this depending on your Domain/Realm:
 

[libdefaults]

    default_realm = IOWA.UIOWA.EDU
    default_keytab_name = FILE:/etc/krb5.keytab

[domain_realm]

    uiowa.edu = IOWA.UIOWA.EDU
    its.uiowa.edu = IOWA.UIOWA.EDU
    iowa.uiowa.edu = IOWA.UIOWA.EDU
    
[logging]

    default = FILE:/var/log/krb5lib.log

[appdefaults]

    pam = {  
         debug=false
         minimum_uid=15
    }
    

The PAM configuration usually just means updating

  • /etc/pam.d/system-auth-ac
  • /etc/pam.d/password-auth-ac
     

Here are our versions which work on a RHEL6 system

/etc/pam.d/system-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type= minlen=6
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

/etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type= minlen=6
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

We recommend using the minimum_uid setting of 15, as that will not allow any of the  system-level accounts in Red Hat to be authenticated against AD. There might also be  some other applications that have PAM configuration files that do not reference the  system-auth or password-auth module.

These PAM config files should be generic enough to work for most applications, but some may require other settings.

Article number: 
100409
Last updated: 
May 19, 2016
Service: