Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Red Hat Enterprise Linux, how do I authenticate to ADS.IU.EDU using Kerberos?

Note: Indiana University has a site license covering the use of Red Hat Enterprise Linux (RHEL) by students, faculty, and staff at IU. For details, see IU's software agreement with Red Hat.

You can configure your Red Hat Enterprise Linux workstation to authenticate to the Kerberos realm by using the Pluggable Authentication Modules (PAM). The module that allows you to authenticate to the Active Directory realm is pam_krb5.so.

You must have the pam_krb5 and krb5-workstation packages installed to configure your workstation to authenticate to the Kerberos realm. To determine if you have these packages installed, open a terminal window and enter:

rpm -qa | grep pam_krb5

and

rpm -qa | grep krb5-workstation

If your system returns pam_krb5-x.xx-x and krb5-workstation-x.xx-x, where x is the version of the package, they are installed. If your system does not return anything, you will need to install the packages depending upon your version of Red Hat Enterprise Linux. Red Hat Enterprise Linux 5.x can use:

yum install pam_krb5 yum install krb5-workstation

Red Hat Enterprise Linux 3.x and 4.x can use:

up2date install pam_krb5 up2date install krb5-workstation

After you install needed packages:

  1. Open a terminal window and log in as root. Enter /usr/sbin/authconfig-tui if you're using Red Hat 5.x, or /usr/sbin/authconfig if you're using Red Hat 4.x or 3.x.

  2. Continue with the prompts using the Tab key and Spacebar until you are asked for authentication.

  3. Press Tab until you are at the "Use Kerberos" field (Kerberos 5, if prompted). Press the Spacebar to select it.

  4. Press Next until you are at the "Kerberos Settings" field. Enter the following information:

    • Realm: ADS.IU.EDU
    • KDC: ads.iu.edu:88
    • Admin Server: ads.iu.edu:749

    Note: Be aware of case-sensitivity.

The authconfig utility will modify two files: /etc/krb5.conf and /etc/pam.d/system-auth. The /etc/krb5.conf file configures the Kerberos (ADS.IU.EDU) realm to use the Kerberos 5 libraries and the /etc/pam.d/system-auth file inserts the pam_krb5.so module into your authentication sequence.

Workstations that are on other campuses or need access to services on other campuses should replace their /etc/krb5.conf file with the file provided here:

https://www.sharepoint.iu.edu/sites/kerberos/Shared%20Documents/krb5.conf

When you attempt to authenticate, PAM will first check the local /etc/passwd file for the correct password. If this check fails, PAM will then perform a check against one of the Active Directory servers. If the Kerberos check is successful, you are allowed to log in.

To log into your workstation, a user must have an existing local account.

For additional information, contact your campus Support Center.

At Indiana University, for personal or departmental Linux or Unix systems support, see At IU, how do I get support for Linux or Unix?

This is document akoo in domain all.
Last modified on August 21, 2009.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.