Documentation< Previous | Contents | Next >
3.4.2. Configuration
To configure the client in a terminal enter:
sudo dpkg-reconfigure krb5-config
You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server.
The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm. You should have entries similar to the following:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
If you set the uid of each of your network-authenticated users to start at 5000, as suggested in Section 3.2.1, “Installation” [p. 147], you can then tell pam to only try to authenticate using Kerberos users with uid > 5000:
# Kerberos should only be applied to ldap/kerberos users, not local ones. for i in common-auth common-session common-account common-password; do
sudo sed -i -r \
-e 's/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=5000/' \
/etc/pam.d/$i done
This will avoid being asked for the (non-existent) Kerberos password of a locally authenticated user when changing its password using passwd.
You can test the configuration by requesting a ticket using the kinit utility. For example:
kinit [email protected]
Password for [email protected]:
When a ticket has been granted, the details can be viewed using klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected]
Valid starting Expires Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/[email protected]
renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached
Next, use the auth-client-config to configure the libpam-krb5 module to request a ticket during login:
sudo auth-client-config -a -p kerberos_example
You will should now receive a ticket upon successful login authentication.