How do I authenticate against Kerberos?
For Red Hat based system such as RHEL, CentOS or Scientific Linux:
Rather than modifying files manually, it is much much easier and less error-prone to use the Red Hat authconfig-tui tool. It can be invoked from the command line:
The authconfig-tui tool allows you to:
- set where to get the user information from
- set where to do the authentication.
- configure your LDAP setup
- configure your Kerberos setup
So, for example, we choose LDAP for User Information and Kerberos for authentication:
As you can see, tui is an abbreviation for Text User Interface, because it uses ncurses.
Then you have to configure your LDAP settings:
The last step is to configure your Kerberos server setup. Mainly, Realm, KDC, and Admin Server:
Rather than modifying files by hand, it is easier and less error-prone to use the YaST tool. From the command line:
First, choose "Network Sevices", "Kerberos Client".
Then, specify Kerberos server configuration. Mainly, Domain Name, Realm, KDC server.
Finally, choose "Advanced Settings..." to enable Kerberos support for OpenSSH and other PAM services.
Kerberos Authentication With The User Portal Web Service
To be able to allow the user portal, https://<head node IP>/userportal, to authenticate against Kerberos, you need to edit /etc/pam.d/php manually and change the following lines:
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
auth sufficient pam_sss.so
account sufficient pam_sss.so
After that you need to restart the webserver.