Pam krb5

From Q
Revision as of 16:13, 27 July 2011 by Tgurr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Description

After we connected our Linux machine via Samba to our Windows ADS we now want ADS users to log in to our Linux machine via single sign on using their ADS accounts and passwords. For this we need the pam module pam_krb5.

Dependencies

Samba - connected to ADS

Packages

Code: emerge pam_krb5 -pv
[ebuild  N    ] sys-auth/pam_krb5-3.10  USE="-doc" 153 kB

Installation

# emerge pam_krb5

Configuration

File: /etc/pam.d/system-auth
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_krb5.so # allow users from windows active directory
auth       required     pam_deny.so

account    required     pam_unix.so
account    sufficient   pam_krb5.so minimum_uid=1100 # allow users from windows active directory

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_krb5.so minimum_uid=1100 # allow users from windows active directory
session    optional     pam_mkhomedir.so skel=/etc/skel umask=0022 silent # create new homedir for windows active directory users

Add User Permissions

# usermod -a -G wheel,plugdev,audio,cdrom,video,lp,kvm,qemu <user>