Thursday, June 28, 2012

PC-BSD / FreeBSD Kerberos GNOME Graphical Login

A quick post just to show how to configure a PC-BSD or a FreeBSD workstation to run kinit(1) right when you login. In this example, the desktop machine is running PC-BSD 9.0 with the GNOME desktop.



To enable Kerberos, you must first have a Kerberos realm configured. See my previous blog post on exactly how to set one up.

Then configure the PC-BSD desktop machine to run NTP and then to be a Kerberos client (also explained in the previous blog post).

WARNING : be sure to test your Kerberos client setup with kinit(1) before you go any further!

Now to be extra safe, hit « Ctrl-Alt-F1 » to get to the « ttyv1 » on the command line and login as root.

Once this is done, simply edit the /usr/local/etc/pam.d/gdm file to enable the pam_krb5.so module. It's easy, the lines are already there! That's because FreeBSD (the underlying OS of PC-BSD) already has all the required Kerberos files, binaries and libraries in the base system. That means you simple need to remove the hash mark to un-comment all the lines that have the pam_krb5.so module in them.

sudo cp /usr/local/etc/pam.d/gdm ~/pam.d.gdm.backup
sudo vi /usr/local/etc/pam.d/gdm

Restart the gdm daemon so that it knows about the new pam.d/gdm file.

sudo /usr/local/etc/rc.d/gdm restart

This will place you back to the graphical login screen automagically. Simply login with your user then start a shell. Check your Kerberos tickets and, ta-dam, you should have two tickets : your host's ticket and the tickget granting ticket from your KDC.

klist

Credentials cache: FILE:/tmp/krb5cc_5100
        Principal: drobilla@COMPANY.COM


  Issued           Expires          Principal
Jun 28 10:12:04  Jun 28 20:12:04  host/tbr.company.com@COMPANY.COM
Jun 28 10:12:04  Jun 28 20:12:04  krbtgt/COMPANY.COM@COMPANY.COM

You can now login to other servers in your Kerberos realm without having to type your password.

BTW : don't forget to logout from the ttyv1 root shell and delete the ~/pam.d.gdm.backup file.

Enjoy!

David

No comments:

Post a Comment