1. Home
  2. User Management
  3. How do I authenticate against Kerberos?

How do I authenticate against Kerberos?

This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated.

For Red Hat based system such as RHEL, CentOS or Scientific Linux: 
Rather than modifying files manually, it is much much easier and less error-prone to use the Red Hat authconfig-tui tool. It can be invoked from the command line:
# authconfig-tui
The authconfig-tui tool allows you to:

  • set where to get the user information from
  • set where to do the authentication.
  • configure your LDAP setup
  • configure your Kerberos setup

So, for example, we choose LDAP for User Information and Kerberos for authentication:

As you can see, tui is an abbreviation for Text User Interface, because it uses ncurses. 

Then you have to configure your LDAP settings:

The last step is to configure your Kerberos server setup. Mainly, Realm, KDC, and Admin Server:

For SLES11SP2:

Rather than modifying files by hand, it is easier and less error-prone to use the YaST tool. From the command line:

# yast

First, choose “Network Sevices”, “Kerberos Client”.

Then, specify Kerberos server configuration. Mainly, Domain Name, Realm, KDC server.

Finally, choose “Advanced Settings…” to enable Kerberos support for OpenSSH and other PAM services.

Kerberos Authentication With The User Portal Web Service

To be able to allow the user portal, https://<head node IP>/userportal, to authenticate against Kerberos, you need to edit /etc/pam.d/php manually and change the following lines:

auth sufficient pam_ldap.so 
account sufficient pam_ldap.so


auth sufficient pam_sss.so 
account sufficient pam_sss.so

After that you need to restart the webserver.

Updated on August 21, 2020

Related Articles

Leave a Comment