Configuring Kerberos PAM
Written by Sam Moffatt   
Sunday, 10 June 2007 01:12

Kerberos PAM allows a user to use their Active Directory and password to login to Linux computers. This has been tested on SuSE 9.1 installations. Primary configuration can be completed via YaST.

YaST Install
Packages Required to be Installed (completed under Software/Install and Remove Software):
heimdal-lib (Library)
heimdal-tools (Client)
pam-krb5 (Linux Authentication Module)
yast2-kerberos-client (YaST GUI Plugin)

Once installed, close and restart YaST to access the Kerberos Client plugin. This can be accessed under Network Services/Kerberos Client. In this section, enable Kerberos, and set the following items:
Default Domain: joomla
Default Realm: JOOMLA.ORG
KDC Server Adderss:
Note: The use of capitals is important to Kerberos!
Clicking finish should complete everything.

Manual Installation/Something Goes Wrong
Assuming the heimdal-lib, heimdal-tools and pam-krb5 packages are installed, here are some pointers on completing a manual installation.

Kerberos Setup
The file /etc/krb5.conf contains the Kerberos configuration information. Sample document follows:

clockskew = 300
default_realm = JOOMLA.ORG

kdc =
default_domain = its
kpasswd_server =

.joomla = JOOMLA.ORG

kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log

pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
debug = false

To test, type "kinit ". It will ask you for a password, and type in the Novell password matching that username. If you don't get any errors, it has completed succesfully. You may get a warning like the following:
"kinit: NOTICE: ticket renewable lifetime is 1 week". This is normal and can be safely ignored.

To activate PAM to use Kerberos (once it is confirmed working), navigate to /etc/security/pam_unix2.conf file, which is the normal authentication module. A sample file follows:

auth: call_modules=use_krb5 nullok
account: call_modules=use_krb5
password: call_modules=use_krb5 md5 nullok
session: none

Notice that use_krb5 is included for all items, and can safely be added. It is suggest that it isn't added to session, because it may not accurately. A more basic configuration appears to work as well:

auth: use_krb5
account: none
password: md5
session: none

It appears that using the previous configuration, that changing the password could be completed using a Linux computer. This may not function properly.

If you get a couple of errors, make sure that everything is set up correctly and that you are using NTP properly. If the clock on the computer is even five minutes out, then it will cause a clock skew and it will not authenticate. Also, make sure that if the hardware time is set to UTC, that the system knows this.

Not specifically related to this, but still relevant to this area, if you get an error stating that the maximum password length is 8 characters and the password will be truncated, add these two lines to the /etc/login.defs file:

Last Updated on Friday, 26 November 2010 06:36