http:///https:///index.php?title=PAM_Kerberos_Authentication&feed=atom&action=history
PAM Kerberos Authentication - Revision history
2024-03-29T04:43:49Z
Revision history for this page on the wiki
MediaWiki 1.39.5
https://wiki.samba.org/index.php?title=PAM_Kerberos_Authentication&diff=3314&oldid=prev
Gd at 14:22, 24 October 2007
2007-10-24T14:22:32Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:22, 24 October 2007</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 3:</td>
<td colspan="2" class="diff-lineno">Line 3:</td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order to enable kerberos authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order to enable kerberos authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td>
</tr>
<tr>
<td class="diff-marker" data-marker="−"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>== Enabling <del style="font-weight: bold; text-decoration: none;">offline</del> authentication in pam_winbind ==</div></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>== Enabling <ins style="font-weight: bold; text-decoration: none;">Kerberos</ins> authentication in pam_winbind ==</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Line 12:</td>
<td colspan="2" class="diff-lineno">Line 12:</td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Now, pam_winbind needs to set a kerberos flag, you can do so by either</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Now, pam_winbind needs to set a kerberos flag, you can do so by either</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br /></td>
</tr>
<tr>
<td class="diff-marker" data-marker="−"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* adding "<del style="font-weight: bold; text-decoration: none;">cached_login</del> = yes" to /etc/security/pam_winbind.conf. That file should look like this:</div></td>
<td class="diff-marker" data-marker="+"></td>
<td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* adding "<ins style="font-weight: bold; text-decoration: none;">krb5_auth</ins> = yes<ins style="font-weight: bold; text-decoration: none;">" and "krb5_ccache_type = FILE</ins>" to /etc/security/pam_winbind.conf. That file should look like this:</div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td>
</tr>
<tr>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> #</div></td>
<td class="diff-marker"></td>
<td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> #</div></td>
</tr>
</table>
Gd
https://wiki.samba.org/index.php?title=PAM_Kerberos_Authentication&diff=3313&oldid=prev
Gd at 13:07, 24 October 2007
2007-10-24T13:07:39Z
<p></p>
<p><b>New page</b></p><div>== Kerberos Authentication using winbindd ==<br />
<br />
In order to enable kerberos authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).<br />
<br />
== Enabling offline authentication in pam_winbind ==<br />
<br />
First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:<br />
ssh YOURDOM\\youruser@localhost<br />
<br />
You cannot continue if login via PAM (pam_winbind) is not working.<br />
<br />
Now, pam_winbind needs to set a kerberos flag, you can do so by either<br />
<br />
* adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:<br />
<br />
#<br />
# pam_winbind configuration file<br />
#<br />
# /etc/security/pam_winbind.conf<br />
#<br />
[global]<br />
# authenticate using kerberos<br />
krb5_auth = yes<br />
<br />
# when using kerberos, request a "FILE" krb5 credential cache type<br />
# (leave empty to just do krb5 authentication but not have a ticket<br />
# afterwards)<br />
krb5_ccache_type = FILE<br />
<br />
This will enable kerberos authentication globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's kerberos mode then you can do so by<br />
<br />
* adding the "krb5_auth" and "krb5_ccache_type" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)<br />
<br />
== Testing Kerberos authentication ==<br />
<br />
Start winbindd, authenticate successfully at least once while winbind is online<br />
<br />
/etc/init.d/winbind start<br />
<br />
wbinfo -K YOURDOM\\youruser%password<br />
<br />
You should get<br />
<br />
plaintext kerberos password authentication for [YOURDOM\youruser%password] succeeded (requesting cctype: FILE)<br />
credentials were put in: FILE:/tmp/krb5cc_0<br />
<br />
in the output.<br />
<br />
Your system is now prepared to use pam_winbind for kerberos authentication. Please try to login to your localhost, e.g. using ssh<br />
ssh YOURDOM\\youruser@localhost<br />
<br />
After successful login "klist" should show your ticket granting ticket.</div>
Gd