Authenticate to ADS.IU.EDU using Kerberos in Red Hat Enterprise Linux or Ubuntu

On this page:

Overview

You can configure your Red Hat Enterprise Linux or Ubuntu workstation to authenticate to the Kerberos realm by using the Pluggable Authentication Modules (PAM). The module that allows you to authenticate to the Active Directory realm is pam_krb5.so.

Red Hat Enterprise Linux

You must have the pam_krb5 and krb5-workstation packages installed to configure your workstation to authenticate to the Kerberos realm. To determine if you have these packages installed, open a terminal window and enter:

rpm -qa | grep pam_krb5

and

rpm -qa | grep krb5-workstation

If your system returns pam_krb5-x.xx-x and krb5-workstation-x.xx-x, where x is the version of the package, they are installed. If your system does not return anything, you will need to install the packages depending upon your version of Red Hat Enterprise Linux. Red Hat Enterprise Linux 5.x and 6.x can use:

yum install pam_krb5 krb5-workstation

After you install needed packages:

  1. Open a terminal window and log in as root. Enter /usr/sbin/authconfig-tui for using Red Hat 5.x or 6.x.
  2. Continue with the prompts using the Tab key and Spacebar until you are asked for authentication.
  3. Press Tab until you are at the "Use Kerberos" field (Kerberos 5, if prompted). Press the Spacebar to select it.
  4. Press Next until you are at the "Kerberos Settings" field. Enter the following information, being aware of case sensitivity:
    • Realm: ADS.IU.EDU
    • KDC: ads.iu.edu:88
    • Admin Server: ads.iu.edu:749

The authconfig utility will modify two files: /etc/krb5.conf and /etc/pam.d/system-auth. The /etc/krb5.conf file configures the Kerberos (ADS.IU.EDU) realm to use the Kerberos 5 libraries and the /etc/pam.d/system-auth file inserts the pam_krb5.so module into your authentication sequence.

If your workstation is at a regional campus (including IUPUI), or if you need access to services on a campus other than your own, replace your existing /etc/krb5.conf file by saving the text below into a new file named krb5.conf:

[domain_realm]
	.ads.iu.edu = ADS.IU.EDU
	.indiana.edu = ADS.IU.EDU
	.iu.edu = ADS.IU.EDU
	.iub.edu = ADS.IU.EDU
	.iue.edu = ADS.IU.EDU
	.iuk.edu = ADS.IU.EDU
	.iun.edu = ADS.IU.EDU
	.iupui.edu = ADS.IU.EDU
	.ius.edu = ADS.IU.EDU
	.iusb.edu = ADS.IU.EDU
	indiana.edu = ADS.IU.EDU
	iu.edu = ADS.IU.EDU
	iub.edu = ADS.IU.EDU
	iue.edu = ADS.IU.EDU
	iuk.edu = ADS.IU.EDU
	iun.edu = ADS.IU.EDU
	iupui.edu = ADS.IU.EDU
	ius.edu = ADS.IU.EDU
	iusb.edu = ADS.IU.EDU

[libdefaults]
	default_realm = ADS.IU.EDU

[realms]
	ADS.IU.EDU = {
		kdc = ads.iu.edu:88
	}

Ubuntu

Open a terminal window and enter:

apt install libpam-krb5 krb5-user

During the installation, you will be asked for the default realm. Use ADS.IU.EDU.

After installation, edit /etc/krb5.conf to include the [domain_realm] and [realms] section from the sample krb5.conf file above.

Authenticate

When you attempt to authenticate, PAM will first check the local /etc/passwd file for the correct password. If this check fails, PAM will then perform a check against one of the Active Directory servers. If the Kerberos check is successful, you are allowed to log in.

To log into your workstation, a user must have an existing local account.

Get help

For additional information, contact your campus Support Center.

At Indiana University, for personal or departmental Linux or Unix systems support, see Get help for Linux or Unix at IU.

This is document akoo in the Knowledge Base.
Last modified on 2021-06-03 13:20:37.