Authentication Notes
Here is what Adam and Chris have done so far to get authentication working for linux boxes in GTAD:0. Make sure ntp is on, and set it to point to ntp1.gatech.edu and ntp2.gatech.edu
1. make sure DNS is set up in /etc/resolv.conf:
search cc.gatech.edu nameserver 130.207.165.170 nameserver 143.215.143.72
2. make sure /etc/krb5.conf is set:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.GATECH.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgt_enctypes = rc4-hmac
[realms]
AD.GATECH.EDU = {
kdc = ad.gatech.edu
admin_server = ad.gatech.edu
}
[domain_realm]
ad.gatech.edu = AD.GATECH.EDU
.ad.gatech.edu = AD.GATECH.EDU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
3. chown /etc/krb5.keytab to the nscd user:
chown nscd /etc/krb5.keytab chmod 400 /etc/krb5.keytab
4a. Add a crontab entry to ensure kerberos constantly renews its krb5 ticket:
Execute the following: crontab -u nscd -e
And add this line:
1 */6* ** /usr/kerberos/bin/kinit -k -c /tmp/krb5cc_28 <host>$ >/dev/null 2>&1
Replace "host" with the fully qualified domain name of the host you are on.
4b. Kinit to GTAD:
kinit <coc-AD-Admin-username>@AD.GATECH.EDU
5. Make sure that KRB5CCNAME is exported for all users. Move /sbin/unix_chkpwd to /sbin/unix_chkpwd.real. Then,
create and edit a new /sbin/unix_chkpwd and have it say this:
#!/bin/sh KRB5CCNAME=/tmp/krb5cc_28;export KRB5CCNAME /sbin/unix_chkpwd.real $*
Then, set its permissions to be the same as /sbin/unix_chkpwd
6. Edit /etc/samba/smb.conf and add have it say the following:
[global]
workgroup = AD
realm = AD.GATECH.EDU
use kerberos keytab = yes
preferred master = no
server string = Samba Server Version %v
security = ads
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
password server = ad.gatech.edu
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
7. Make sure the machine exists on the GTAD, and the issue the following
command:
net ads join -U <coc-AD-Admin-username>
Give it a username and password, and let the machine hop on the domain.
8. Now, issue the following:
net ads keytab create -U < user who can administer AD >
net ads keytab add login -U < user who can administer AD >
9. Edit /etc/pam.d/system-auth and make sure it says this:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_krb5.so use_first_pass auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
10. Make sure that libgssapi and cyrus-sasl-gssapi are installed via yum
11. Edit /etc/openldap/ldap.conf to be this:
base DC=AD,DC=GATECH,DC=EDU host ad.gatech.edu scope sub ssl no TLS_CACERT /etc/openldap/cacerts/gtcert.crt use_sasl on SASL_MECH GSSAPI sasl_secprops maxssf=0 bind_policy soft nss_schema rfc2307bis nss_base_passwd DC=AD,DC=GATECH,DC=EDU?sub?<filter> nss_base_shadow DC=AD,DC=GATECH,DC=EDU?sub nss_base_group DC=AD,DC=GATECH,DC=EDU?sub referrals no nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber uidNumber nss_map_attribute gidNumber gidNumber nss_map_attribute cn sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute givenname givenName nss_map_attribute ou description nss_map_attribute gecos displayName nss_map_attribute loginShell loginShell nss_map_attribute homeDirectory unixHomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute shadowLastChange pwdLastSet nss_initgroups
12. Replace
13. Edit /etc/openldap/cacerts/gtcert.crt and grab the PKS10 GT root cert from
ca.gatech.edu, and place it in this file.
14. Edit /etc/nnswitch.conf:
passwd: files [NOTFOUND=continue] ldap [NOTFOUND=continue]
shadow: files [NOTFOUND=continue] ldap [NOTFOUND=continue]
group: files [NOTFOUND=continue] ldap [NOTFOUND=continue]
At the end of this, authentication is set. What follows is attempts to get pam_mount to work.
15. Compile and install libHX. Download the source, and run configure and fix
any dependencies that may be missing. Also when you run configure, run as such:
./configure –prefix=/usr
It will install labHX to the proper place.
16. Compile and install pam_mount. Download the source from sourceforge and
run configure. It will probably tell you that libxml2 is missing. Install
libxml2-devel via yum:
yum install libxml2-devel
you also need to install the pam headers:
yum install pam-devel
Link to this Page
- Linux last edited on 15 May 2008 at 1:06 pm by fairlane-win.cc.gatech.edu