Skip to end of metadata
Go to start of metadata


There are multiple options here depending on how you want to set things up. The simplest solution is probably just to configure PAM to authenticate via kerberos to the CIT AD. If that sounds like a workable solution to you then all you need to do is configure krb5.conf, pam.d/system-auth and pam.d/sshd (if you want remote authentication). This is all detailed in Tim's documentation but here is the cliff notes version (note that this is Centos 7 centric and might need some tweaks for other linux flavors):


ticket_lifetime = 24000
default_realm = CIT.UCAR.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
[domain realm] = CIT.UCAR.EDU = CIT.UCAR.EDU


auth sufficient likeauth nullok try_first_pass realm=CIT.UCAR.EDU




#auth     sufficient debug ruser conf=/usr/local/etc/token_server
auth     sufficient likeauth nullok try_first_pass realm=CIT.UCAR.EDU


Note that the first line is what ACOM uses as we restrict remote authentication to OTP only.


This method requires you to create local users manually but does eliminate the need for the "restriction" options (see MMM's notes) while also satisfying the need to centrally log all authentication attempts on the Domain Controllers. For those systems that are mobile you still need to set a local password as this method of "pass through" authentication does not cache credentials in any way. If you need that  functionality then you need to look at the "realm" command (also detailed in both ACOM's and MMM's notes).


If you go this route and want to make your linux filesystems available via SAMBA then you will need to take the extra step to join those machines to the domain (no password required when connecting):

net ads join createcomputer=/Divisions/XXX/Computers/ -UYourAdminAccount%password -S


ACOM Notes on joining Centos 7 systems to AD

MMM Notes on joining Centos 7 system to AD (restricting users)



ACOM Notes on joining MACs to AD

CISL Notes on joining MACs to AD


From MMM:
Mac (10.11):
     This allows us to pick only specific directory users allowed to log onto the machine.
Joining a Mac to Active Directory: ADTF Google Doc
This document includes multiple ways to join a Mac including through Casper and using dsconfigad.  It also includes how to migrate a local user account to a CIT account as well as information about ADPassMon for AD password kerberos renewal and expiration.
  • No labels