Kerberos - shawfdong/hyades GitHub Wiki
/etc/krb5.conf (note allow_weak_crypto):
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CATS.UCSC.EDU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realms] CATS.UCSC.EDU = { kdc = kerberos.ucsc.edu:88 kdc = kerberos-1.ucsc.edu:88 kdc = kerberos-2.ucsc.edu:88 admin_server = kerberos.ucsc.edu:749 } [domain_realm] .ucsc.edu = CATS.UCSC.EDU ucsc.edu = CATS.UCSC.EDU
Update PAM:
authconfig --enablekrb5 --update
which will update system-auth-ac, password-auth-ac, fingerprint-auth-ac, & smartcard-auth-ac (all in /etc/pam.d/).
SoE appears to use LDAP for identity, and use both LDAP and Kerberos for authentication.
/etc/nsswitch.conf:
passwd: files ldap shadow: files ldap group: files ldap hosts: files dns ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus
/etc/krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SOE.UCSC.EDU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] SOE.UCSC.EDU = { kdc = kerberos-01.soe.ucsc.edu:88 kdc = kerberos-02.soe.ucsc.edu:88 kdc = kerberos-03.soe.ucsc.edu:88 admin_server = kerberos-01.soe.ucsc.edu:749 } [domain_realm] cse.ucsc.edu = SOE.UCSC.EDU .cse.ucsc.edu = SOE.UCSC.EDU soe.ucsc.edu = SOE.UCSC.EDU .soe.ucsc.edu = SOE.UCSC.EDU [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/openldap/ldap.conf:
#cfmotor host ldap-99.soe.ucsc.edu ssl on base dc=soe,dc=ucsc,dc=edu ldap_version 3 scope sub timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 20 tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts pam_password_prohibit_message Please visit https://support.soe.ucsc.edu/change-password to change your password.
/etc/pam.d/system-auth:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 100 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so