To enable Kerberos, you must first have a Kerberos realm configured. See my previous blog post on exactly how to set one up.
Then configure the PC-BSD desktop machine to run NTP and then to be a Kerberos client (also explained in the previous blog post).
WARNING : be sure to test your Kerberos client setup with kinit(1) before you go any further!
Now to be extra safe, hit « Ctrl-Alt-F1 » to get to the « ttyv1 » on the command line and login as root.
Once this is done, simply edit the /usr/local/etc/pam.d/gdm file to enable the pam_krb5.so module. It's easy, the lines are already there! That's because FreeBSD (the underlying OS of PC-BSD) already has all the required Kerberos files, binaries and libraries in the base system. That means you simple need to remove the hash mark to un-comment all the lines that have the pam_krb5.so module in them.
sudo cp /usr/local/etc/pam.d/gdm ~/pam.d.gdm.backup
sudo vi /usr/local/etc/pam.d/gdm
Restart the gdm daemon so that it knows about the new pam.d/gdm file.
sudo /usr/local/etc/rc.d/gdm restart
This will place you back to the graphical login screen automagically. Simply login with your user then start a shell. Check your Kerberos tickets and, ta-dam, you should have two tickets : your host's ticket and the tickget granting ticket from your KDC.
klist
Credentials cache: FILE:/tmp/krb5cc_5100
Principal: drobilla@COMPANY.COM
Issued Expires Principal
Jun 28 10:12:04 Jun 28 20:12:04 host/tbr.company.com@COMPANY.COM
Jun 28 10:12:04 Jun 28 20:12:04 krbtgt/COMPANY.COM@COMPANY.COM
You can now login to other servers in your Kerberos realm without having to type your password.
BTW : don't forget to logout from the ttyv1 root shell and delete the ~/pam.d.gdm.backup file.
Enjoy!
David
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.