Kerberos - shawfdong/hyades GitHub Wiki

UCSC

/etc/krb5.conf (note allow_weak_crypto):

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CATS.UCSC.EDU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

[realms]
 CATS.UCSC.EDU = {
  kdc = kerberos.ucsc.edu:88
  kdc = kerberos-1.ucsc.edu:88
  kdc = kerberos-2.ucsc.edu:88
  admin_server = kerberos.ucsc.edu:749
 }

[domain_realm]
 .ucsc.edu = CATS.UCSC.EDU
 ucsc.edu = CATS.UCSC.EDU

Update PAM:

authconfig --enablekrb5 --update

which will update system-auth-ac, password-auth-ac, fingerprint-auth-ac, & smartcard-auth-ac (all in /etc/pam.d/).

Jack Baskin School of Engineering

SoE appears to use LDAP for identity, and use both LDAP and Kerberos for authentication.

/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

/etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SOE.UCSC.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
SOE.UCSC.EDU = {
  kdc = kerberos-01.soe.ucsc.edu:88
  kdc = kerberos-02.soe.ucsc.edu:88
  kdc = kerberos-03.soe.ucsc.edu:88
  admin_server = kerberos-01.soe.ucsc.edu:749
 }

[domain_realm]
 cse.ucsc.edu = SOE.UCSC.EDU
 .cse.ucsc.edu = SOE.UCSC.EDU
 soe.ucsc.edu = SOE.UCSC.EDU
 .soe.ucsc.edu = SOE.UCSC.EDU
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/openldap/ldap.conf:

#cfmotor
host ldap-99.soe.ucsc.edu
ssl on
base dc=soe,dc=ucsc,dc=edu
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 20
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
pam_password_prohibit_message Please visit https://support.soe.ucsc.edu/change-password to change your password.

/etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 100 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
⚠️ **GitHub.com Fallback** ⚠️