Personal tools
- Log in / create account
Navigation
- Main Page
- Development Projects
- FAQs
- HowTos
- OSpedia
- Tips
- Recent changes
- Random page
- Community portal
- Help
- Donations
Toolbox

Microsoft active directory

From Linux & Open Source @ NUS

Kerberos Authentication with NUS Active Domain on Linux

Based on the HOWTO written by Keith Phua, Systems Engineer at Science ITU. The followings steps have been tested on Ubuntu Gutsy successfully.

1) Install the MIT Kerberos 5 packages. Frankly, I had no idea what to install, so I tried

$ apt-cache search kerberos

and installed the set of krb5 packages I found:

# apt-get install krb5-clients krb5-user libpam-krb5

2) Here's where you need to set up Kerberos's conf file, adding the lines

  below to the respective sections. The other lines for MIT domains may be deleted.

# cp krb5.conf krb5.conf.backup 
# vim /etc/krb5.conf

[libdefaults]
default_realm = STU.NUS.EDU.SG
clockskew = 300
dns_lookup_realm = false

[realms]
STU.NUS.EDU.SG = {
kdc = 137.132.4.28
default_domain = stu.nus.edu.sg
admin_server = 137.132.4.28
}

[domain_realm]
.stu.nus.edu.sg = STU.NUS.EDU.SG

3) Test the Kerberos connection with your NUSNET ID and password.

When you type

# kinit u0501234

You should then see:

Password for u0501234@STU.NUS.EDU.SG:

After you enter your password, you should see the prompt again. Remember, no news is good news :)

Then type

# klist

You should get something like this:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: u0501234@STU.NUS.EDU.SG

Valid starting		Expires			Service principal
08/15/07 09:17:12 	08/15/07 09:27:12	krbtgt/STF.NUS.EDU.SG@STF.NUS.EDU.SG
renew until 08/16/07 09:17:12

Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

4) Configure PAM

Depending on which service you want to use, add this to the PAM service in /etc/pam.d.

I use gdm, so I edited that and added the following lines:

# cp /etc/pam.d/gdm /etc/pam.d/gdm.backup
# vim /etc/pam.d/gdm

auth sufficient pam_krb5.so
auth required pam_unix.so use_first_pass
account sufficient pam_krb5.so

5) New account for NUSNET ID

Now set up a new account for your NUSNET ID in /etc/passwd. You need an account and a home directory, so add this line at the bottom:

u0501234:x:1001:100:Your Real Name:/home/u0501234:/bin/bash

# cp /etc/passwd /etc/passwd.backup
# vi /etc/passwd (here's where you add that line.)
# mkdir -p /home/u0501234
# chown u0501234\: u0501234/

6)Ctrl + Alt + Backspace to restart X and login.

If there are any errors, one way to troubleshoot is to look at /var/log/syslog. Note that one will not be able to login locally via gdm (but via tty console using Ctrl + Alt + F1 still possible), unless /etc/pam.d/gdm is changed back to the original one without the 3 additional lines in step 4. If there are time skew errors, try and make sure the time is accurate.

HOWTO originally written by Keith Phua Modified by Kheng Hui (CPE/3) on Aug 15 Modified by Lu Feng on Aug 17

Retrieved from "http://opensource.nus.edu.sg/wiki/index.php/Microsoft_active_directory"

Category: HowTo