scadblog

OIT’s dedicated Kerberos server is no longer included in the list machines where new faculty, staff and students receive accounts upon their initial Princeton account creation. This presented a problem for me earlier this year as I had been authenticating against it and the realm PRINCETON.EDU for some of my Linux users.

The Windows Domain Controllers are also technically Kerberos, so I set out to authenticate against it in a similar manner. Here’s how its done on CentOS, but the only thing that should differ if using another distribution is how your PAM configuration is organized and split up among the config files.

/etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = PU.WIN.PRINCETON.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
PU.WIN.PRINCETON.EDU = {
kdc = pdom1.pu.win.princeton.edu
}
[domain_realm]
.princeton.edu = PU.WIN.PRINCETON.EDU
princeton.edu = PU.WIN.PRINCETON.EDU

/etc/pam.d/system-authauth

required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$IS/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so