Workstation authentication

From Livedoc - The Documentation Repository
Jump to: navigation, search

This page isn't supposed to serve as a complete reference to how workstations authenticate -- you'll have to read Kerberos documentation along with the individual components of this system to understand it completely.


Make sure the kdc and admin_server are set for CSL and LOCAL:

  default_realm = CSL.TJHSST.EDU
  allow_weak_crypto = true
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  dns_lookup_realm = true
  dns_lookup_kdc = true
  renew_lifetime = 240h
    kdc =
    admin_server =

    kdc =
    kdc =
    kdc =
    admin_server =
pam = {
  minimum_uid = 1000


PAM is responsible for verifying user credentials. This file describes how to do that:

auth            required
auth            sufficient likeauth nullok
auth            sufficient      /lib/security/ use_first_pass fail_pwchange
auth            sufficient      /lib/security/ use_first_pass realm=LOCAL.TJHSST.EDU fail_pwchange
auth            required

account         sufficient
account         required        /lib/security/

password        required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient nullok sha512 shadow use_authtok
password        sufficient      /lib/security/ use_authtok fail_pwchange
password        sufficient      /lib/security/ use_authtok realm=LOCAL.TJHSST.EDU fail_pwchange
password        required

session         required
session         required
session         optional        /lib/security/
session         optional retain_after_close aklog_homedir always_aklog

You'll need the pam_krb5 package.


This defines how to look up users and groups, among other things. You should at least have:

passwd: compat ldap
group: compat ldap

since our users and groups are stored in LDAP.


This file configures nslcd, which is the thing responding to NSS LDAP requests. You'll need something like this:

base dc=csl,dc=tjhsst,dc=edu
uri ldap://
uri ldap://
bind_timelimit 2
bind_policy soft
nss_base_passwd         ou=people,
nss_base_group          ou=group,