On Thu, Oct 20, 2011 at 3:57 PM, Steven Leikeim <[log in to unmask]> wrote:
> On Thu, Oct 20, 2011 at 01:07:45PM -0600, [log in to unmask] wrote:
>> Which configuration options can be used on SL 5.5, to get Kerberos tickets
>> immediately after login?
>>
>
> In System -> Administration -> Authentication, there is a checkbox to enable
> Kerberos support for Authentication as well as Configure your Kerberos settings.
Behind the scenes, this tool simply summons the "authconfig" command.
Reading up on this command will give you all the power of the GUI, but
in a way that is easily scripted and deployed.
I strongly urge upgrading to 5.7, for a whole slew of improved
integrations involving Kerbers and especially features like NFSv4, and
I especially urge upgrading to SL 6.1 to get single-sign-on key
handling for OpenSSH, which requires OpenSSH 5.x.
> It's been quite a while since we set this up and I can't remember if this was
> sufficient or additional manual configuration was required. The important part
> of Kerberos getting tickets automatically is in /etc/pam.d/system-auth. Here
> we have the following line in the auth section:
>
> auth sufficient pam_krb5.so use_first_pass
>
> (There are similar lines in other sections.)
>
> This works for us here, and has worked with a different (ie non-AD) LDAP
> server. The only caveat to this, is that for this to work properly, passwords
> must be synchronized between LDAP and AD.
>
> If you have any other questions on this, please feel free to ask.
>
> I hope this helps.
>
>
>
>
> Steven Leikeim
>
> --
>
> Steven Leikeim, GSEC-Gold | We, the willing
> Schulich School of Engineering | led by the unknowing
> Information Technologies | are doing the impossible
> | for the ungrateful.
> University of Calgary | We have done so much
> Calgary, Alberta | for so long with so little
> | we are now qualified
> Phone: (403) 220-5373 | to do anything with nothing.
>
|