Configure Active DIR/Kerberos on Ubuntu and Red Hat

Ubuntu 10.04
  • copy /etc/krb5.conf from everest to /etc/
  • sudo apt-get install libpam-krb5
  • sudo pam-auth-update
Ubuntu 8.04
  • Install necessary packages
  $ sudo apt-get-install heimdal-clients libpam-heimdal
  • Configure Kerberos with the details of the AD realm and IP addresses, /etc/krb5.conf (copy it from everest)
  • Update the PAM configuration to check for Kerberos accounts, /etc/pam.d/common-auth, choose whether you want a Kerberos login prompt or a regular prompt first.

#

  # /etc/pam.d/common-auth - authentication settings common to all services
  #
  # This file is included from other service-specific PAM config files,
  # and should contain a list of the authentication modules that define
  # the central authentication scheme for use on the system
  # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
  # traditional Unix authentication mechanisms.
  #
  auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
  auth    sufficient      pam_unix.so likeauth nullok_secure use_first_pass
  auth    required        pam_deny.so
  • To manage the Kerberos tickets update /etc/pam.d/common-session
  #
  # /etc/pam.d/common-session - session-related modules common to all services
  #
  # This file is included from other service-specific PAM config files,
  # and should contain a list of modules that define tasks to be performed
  # at the start and end of sessions of *any* kind (both interactive and
  # non-interactive).  The default is pam_unix.
  #
  session required        pam_unix.so
  session optional        pam_foreground.so
  session optional        pam_krb5.so minimum_uid=1000 

Red Hat Specific

  • rpm -qa | grep pam
  • Make sure you have: pam_krb5-2.2.14-10
  • copy over system-auth from everest (update if necessary)
  • Make sure that the clock is insync, otherwise auth will fail
  • Add users to wheel group for sudo privilege
  • use authconfig-tui to configure pan to use krb

Reference