This document describes the methods used to authenticate Linux machines against a central kerberos realm.
Please note: Many documents found on the web describe Kerberos authentication as it relates to Samba and joining a Samba server to a Windows domain. They are two different things, so don't confuse them. This document describes how to authenticate against a Kerberos realm (Active Directory in our case) via PAM (Pluggable Authentication Modules).
Why use Kerberos and not NTLM
- Kerberos is a standard protocol, NTLM is proprietary.
- Kerberos is more secure than NTLM.
- Kerberos is the "new" mechanism used by Windows servers. NTLM is the Windows NT domain authentication method.
- According to Microsoft Kerberos is more efficient than NTLM.
- Be sure to have proper rpms installed: up2date pam_krb5 krb5-libs krb5-devel krb5-workstation
- Modify /etc/krb5.conf
- Reference (these links give you in-depth information, skip to examples if you don't care)
- Modify /var/kerberos/krb5kdc/kdc.conf
- Modify relevant PAM service files:
- For LOGIN service only (telnet,ftp,xinetd-based-services), modify /etc/pam.d/login
- For SSHD service only, modify /etc/pam.d/sshd
- useradd dannies
Now that the user is local you assign file permissions and groups the same as you would any user account. If a user is disabled on the domain they will no longer be able to login to the kerberos authenticated machine.
- VMWare Help Document on Setting Up Kerberos Authentication for ESX Server: http://www.vmware.com/pdf/esx_authentication_AD.pdf