Various notes on configuring RHEL5, Solaris 10 and OSX 10.5 clients for
AD kerberos authentication and LDAP lookup.
RHEL5:
first attempt at an /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TRANSLAB.FQDN.XXX
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
# you may need to set _enctypes depending on your application.
# depending on your kerberos client, you may need to apply the
des-cbc-crc hotfix to your AD servers
[realms]
TRANSLAB.FQDN.XXX = {
kdc = translabpdc1.translab.fqdn.xxx:88
admin_server = translabpdc1.translab.fqdn.xxx:749
# you can add more kdcs. Depending on your setup, you can try DNS
resolution of DCs
# I think I later removed the :749 from admin_server
default_domain = translab.fqdn.xxx
}
[domain_realm]
.translab.stsci.edu = TRANSLAB.FQDN.XXX
translab.stsci.edu = TRANSLAB.FQDN.XXX
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
first attempt at /etc/ldap.conf
# to use SSL/TLS with AD, I believe you need to get the PDC to spit out
#client certificates and install them on all the LDAP clients. I've not
#investigated this fully.
host AAA.BBB.CCC.4
bind_timelimit 120
bind_policy soft
# change to hard when working??
idle_timelimit 3600
# you may need to add this, and add in any other local users installed
by default:
#nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa
base dc=translab,dc=fqdn,dc=XXX
uri ldap://translabpdc1.translab.fqdn.XXX/
binddn [email protected]
bindpw pickagoodone!
scope sub
ssl no
nss_base_passwd dc=translab,dc=fqdn,dc=XXX?sub
nss_base_shadow dc=translab,dc=fqdn,dc=XXX?sub
nss_base_group dc=translab,dc=fqdn,dc=XXX?sub?
&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam modifications:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so
# added for kerberos
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_krb5.so
# added for kerberos
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
Don't forget to modify /etc/nsswitch.conf to reflect files ldap for
passwd and group.
Solaris 10 Configuration:
/etc/krb5.conf is /etc/krb5/krb5.conf, but otherwise identical.
Use ldapclient to change solaris:
ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN="cn=LDAP UNIX Binder,cn=Users,dc=translab,dc=fqdn,dc=xxx" \
-a proxyPassword=pickagoodone \
-a defaultSearchBase=dc=translab,dc=fqdn,dc=xxx \
-a domainName=translab.fqdn.xxx \
-a defaultServerList=AAA.BBB.CCC.4 \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=translab,dc=fqdn,dc=xxx?sub \
-a serviceSearchDescriptor=group:dc=translab,dc=fqdn,dc=xxx?sub
ldapclient will copy over a new nsswitch.conf file, which you may want
to edit, depending on your configuration needs. If my memory serves, it
changes everything to using LDAP first.
Solaris PAM configuration: /etc/pam.conf
#
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
other password sufficient pam_krb5.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
For completeness: OS X
Try this script, based around Apple's dsconfigad:
http://patgmac.blogspot.com/2007/09/bind-to-ad-using-apple-remote-desktop.html
--
-- John E. Jasen ([email protected])
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
