Workstation authentication

From Livedoc - The Documentation Repository
Jump to: navigation, search

This page isn't supposed to serve as a complete reference to how workstations authenticate -- you'll have to read Kerberos documentation along with the individual components of this system to understand it completely.


/etc/krb5.conf

Make sure the kdc and admin_server are set for CSL and LOCAL:

[libdefaults]
  default_realm = CSL.TJHSST.EDU
  allow_weak_crypto = true
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  dns_lookup_realm = true
  dns_lookup_kdc = true
  renew_lifetime = 240h
[realms]
  CSL.TJHSST.EDU = {
    kdc = centauri.csl.tjhsst.edu
    admin_server = centauri.csl.tjhsst.edu
  }

  LOCAL.TJHSST.EDU = {
    kdc = 198.38.27.6
    kdc = tj05.local.tjhsst.edu
    kdc = tj07.local.tjhsst.edu
    admin_server = tj07.local.tjhsst.edu
  }
[domain_realm]
  tjhsst.edu = CSL.TJHSST.EDU
  .tjhsst.edu = CSL.TJHSST.EDU
  csl.tjhsst.edu = CSL.TJHSST.EDU
  .csl.tjhsst.edu = CSL.TJHSST.EDU
  local.tjhsst.edu = LOCAL.TJHSST.EDU
  .local.tjhsst.edu = LOCAL.TJHSST.EDU
[appdefaults]
pam = {
  minimum_uid = 1000
}

/etc/pam.d/system-auth

PAM is responsible for verifying user credentials. This file describes how to do that:


auth            required        pam_env.so
auth            sufficient      pam_unix.so likeauth nullok
auth            sufficient      /lib/security/pam_krb5.so use_first_pass fail_pwchange
auth            sufficient      /lib/security/pam_krb5.so use_first_pass realm=LOCAL.TJHSST.EDU fail_pwchange
auth            required        pam_deny.so

account         sufficient      pam_unix.so
account         required        /lib/security/pam_krb5.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so nullok sha512 shadow use_authtok
password        sufficient      /lib/security/pam_krb5.so use_authtok fail_pwchange
password        sufficient      /lib/security/pam_krb5.so use_authtok realm=LOCAL.TJHSST.EDU fail_pwchange
password        required        pam_deny.so

session         required        pam_limits.so
session         required        pam_unix.so
session         optional        /lib/security/pam_krb5.so
session         optional        pam_afs_session.so retain_after_close aklog_homedir always_aklog

You'll need the pam_krb5 package.

/etc/nsswitch.conf

This defines how to look up users and groups, among other things. You should at least have:

passwd: compat ldap
group: compat ldap

since our users and groups are stored in LDAP.

/etc/ldap.conf

This file configures nslcd, which is the thing responding to NSS LDAP requests. You'll need something like this:

base dc=csl,dc=tjhsst,dc=edu
uri ldap://openldap1.csl.tjhsst.edu/
uri ldap://openldap2.csl.tjhsst.edu/
bind_timelimit 2
bind_policy soft
nss_base_passwd         ou=people,
nss_base_group          ou=group,