PAM

The following instructions will configure a system with local users to optionally obtain Kerberos tickets on login. For this to work the local user must have the same login and password as the corresponding ETH user name.

Before performing the steps below, please make sure that you have completed the steps for the minimal kerberos configuration.

Fedora, CentOS and RHEL

Install the following packages:

# yum install -y krb5-workstation pam_krb5

Then make the following changes:

  • Delete the symbolic link /etc/pam.d/password-auth and create a new file with the same name as a copy of /etc/pam.d/password-auth-ac:
rm -f /etc/pam.d/password-auth
cp -a /etc/pam.d/password-auth-ac /etc/pam.d/password-auth
  • Do the same for /etc/pam.d/system-auth:
rm -f /etc/pam.d/system-auth
cp -a /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
  • Edit both files and add the following line just before the line beginning with auth sufficient pam_unix.so ...:
auth        sufficient    pam_krb5.so try_first_pass minimum_uid=1000
  • Also add the following line as the last one in the block with the lines beginning with session:
session     optional      pam_krb5.so

Ubuntu

Install the following packages:

$ sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config

Add the file /usr/share/pam-configs/krb5-local with the following content to add a PAM profile for local users to optionally get a ticket:

Name: Kerberos authentication for local users
Default: yes
Priority: 706
Conflicts: krb5
Auth-Type: Additional
Auth:
	[success=end default=ignore]	pam_krb5.so minimum_uid=1000 try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_krb5.so minimum_uid=1000
Session-Type: Additional
Session:
	optional			pam_krb5.so minimum_uid=1000

Run pam-auth-update and activate Kerberos authentication for local users and keep Kerberos authentication disabled.

Page URL: https://isg.inf.ethz.ch/bin/view/Main/HelpDesktopsAndLaptopsLinuxKerberosPAM
2019-11-18
© 2019 Eidgenössische Technische Hochschule Zürich