March 15, 2014

Configure a System to Authenticate Using Kerberos

You can either do this graphically (system-config-authentication) or via command line (authconfig).

When doing it with the command line, it can be hard to remember all the parameter, but with help of '--help' it is easier.

The LDAP parameters

$ authconfig --help | grep ldap
  --enableldap          enable LDAP for user information by default
  --disableldap         disable LDAP for user information by default
  --enableldapauth      enable LDAP for authentication by default
  --disableldapauth     disable LDAP for authentication by default
  --ldapserver=<server>
  --ldapbasedn=<dn>     default LDAP base DN
  --enableldaptls, --enableldapstarttls
  --disableldaptls, --disableldapstarttls
  --ldaploadcacert=<URL>

The Kerberos parameter.

$ authconfig --help | grep krb
  --enablekrb5          enable kerberos authentication by default
  --disablekrb5         disable kerberos authentication by default
  --krb5kdc=<server>    default kerberos KDC
  --krb5adminserver=<server>
  --krb5realm=<realm>   default kerberos realm
  --enablekrb5kdcdns    enable use of DNS to find kerberos KDCs
  --disablekrb5kdcdns   disable use of DNS to find kerberos KDCs
  --enablekrb5realmdns  enable use of DNS to find kerberos realms
  --disablekrb5realmdns

And finally SSSD (System Security Services Daemon), which enable cached authentication, which in turn means enabled off-line authentication. Which both can be good and bad. An unstable network connection does not stop you for logging in. But you also need to remember that authentication data might be stale.

$ authconfig --help | grep sssd
  --enablesssd          enable SSSD for user information by default with
  --disablesssd         disable SSSD for user information by default (still
  --enablesssdauth      enable SSSD for authentication by default with
  --disablesssdauth     disable SSSD for authentication by default (still used

Lets put all this together and add --update at the end to update authentication configuration.

$ authconfig --enableldap --disableldapauth --ldapserver=<server> --ldapbasedn=<dn> --enableldaptls --ldaploadcacert=<URL> --enablekrb5 --krb5kdc=<server> --krb5adminserver=<server> --krb5realm=<realm> --enablesssd --enablesssdauth --update
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)