Kerberos and LDAP

Ronni Feldt rofe at one.com
Fri Oct 31 04:43:55 EDT 2008


> > Now, I have read a lot, and seems to have lost the complete overview
> > of how it all works together. Can someone explain to me, just in a
> > superficial way, how it fits together or point me to a link?
> 
> There's nothing special really. NSS is used to get user metadata
> (username, id, gid, homedir, shell, etc..), and PAM is used to perform
> the actual verification of user credentials (login allowed or not).
> And nscd is there just to cache NSS results so that the remote lookup
> is not performed all the time.

Okey, this means it's something like this:

1. User login

2. PAM authenticates the user using info in /etc/pam.d/common-auth,
which tells it to use info from the local workstation and kerberos,
because of:
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_krb5.so use_first_pass
auth    required        pam_deny.so

In this step PAM is also using /etc/pam.d/common-password to find out
how to evaluate passwords. Again both local passwords and passwords in
Kerberos will do.
password  sufficient   pam_unix.so nullok obscure md5
password  required     pam_krb5.so use_first_pass

Question: Am I missing a password required pam_deny.so here?

3. If the user authentication is successful, PAM
uses /etc/pam.d/common-account to grant privileges to the user; the
ressources that the user may have access to. Again local information is
okey, as well as information from LDAP and Kerberos (Why Kerberos? It
only authenticates.)
account sufficient      pam_unix.so
account required        pam_ldap.so
account required        pam_krb5.so


In the steps above, PAM is using NSS (/etc/nsswitch.conf) to get
information about username, privileges etc. NSS bridges the information
from LDAP and/or local information to PAM.
/etc/nsswitch.conf
passwd:         ldap files
group:          ldap files
shadow:         ldap files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


Is that correct ?

- Ronni




More information about the Kerberos mailing list