PAM
The following instructions will configure a system with local users to optionally obtain Kerberos tickets on login. For this to work the local user must have the same login and password as the corresponding ETH user name.
Before performing the steps below, please make sure that you have completed the steps for the minimal kerberos configuration.
Fedora, CentOS and RHEL
Install the following packages:# yum install -y krb5-workstation pam_krb5
- Delete the symbolic link
/etc/pam.d/password-authand create a new file with the same name as a copy of/etc/pam.d/password-auth-ac:
rm -f /etc/pam.d/password-auth cp -a /etc/pam.d/password-auth-ac /etc/pam.d/password-auth
- Do the same for
/etc/pam.d/system-auth:
rm -f /etc/pam.d/system-auth cp -a /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
- Edit both files and add the following line just before the line beginning with
auth sufficient pam_unix.so ...:
auth sufficient pam_krb5.so try_first_pass minimum_uid=1000
- Also add the following line as the last one in the block with the lines beginning with
session:
session optional pam_krb5.so
Ubuntu
Install the following packages:$ sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
/usr/share/pam-configs/krb5-local with the following content to add a PAM profile for local users to optionally get a ticket:
Name: Kerberos authentication for local users Default: yes Priority: 706 Conflicts: krb5 Auth-Type: Additional Auth: [success=end default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass Auth-Initial: [success=end default=ignore] pam_krb5.so minimum_uid=1000 Session-Type: Additional Session: optional pam_krb5.so minimum_uid=1000
pam-auth-update and activate Kerberos authentication for local users and keep Kerberos authentication disabled.