Slackware can be modified to use kerberos authentication mechanisms. This is essential when working in certain environments, such as in Microsoft Active Directory controlled domains. Single sign on (SSO) has been called the "Holy Grail" of network administration because it simplifies user management by placing it into a single repository. A key to this approach is the kerberos protocol because allows for securely managing and communicating over the network. Kerberos was created at MIT and is a very well respected piece of software which has evolved as it has been tested under fire. On this page, I document some of the changes required to enable kerberos support within Slackware 13.1
| Packages to be compiled to enable kerberos support | |||
|---|---|---|---|
| Package | Included in Slackware 13.1 | website | additional notes |
| linux-pam-1.1.2 | no | link | 1. |
| shadow-4.1.4.2 | yes | link | 2. |
| krb5-1.8.3 | no | link | 3. |
| cyrus-sasl-2.1.23 | yes | link | 4. |
| openssh-5.5p1 | yes | link | 5. |
| samba-3.5.5 | yes | link | 6. |
| openldap-client-2.4.23 | yes | link | 7. |
| nss-pam-ldapd-0.7.11 | no | link | 8. |
| pam-krb5-4.3 | no | link | 9. |
| xscreensaver-5.11 | yes | link | 10. |
| xdm-1.1.10 | yes | part of X.org | 11. |
1. As far as I know, PAM is the key piece of the puzzle to getting all of the pieces of single sign on to work together. Some parts may work individually without it (for example, openssh gains extra functionality when kerberos (gssapi) support is added); but it is necessary for a unified and comprehensive solution which covers all forms of user authentication and logon.
shadow2. Recompiled to enable PAM support. Also, I found this, Beyond Linux from Scratch webpage helpful with regard to the file, login.defs
kerberos3. Kerberos is the key component in this form of single sign on. As soon as this package is installed the command, kinit, will work to get a tgt, even if the machine is not "joined" to a domain. I compiled it for kerberos version 5 support only.
cyrus-sasl4. sasl is a glue layer between certain components. I am not sure exactly when it is used, because many components have built in support for the gssapi protocol, and I think one implementation gssapi is built when kerberos is compiled. It may not be necessary at all for this project.
ssh5. openssh's implentation of the secure shell protocol is one of the most useful tools for network administration. Enabling kerberos support at both the client and server end allows for logon without typing a password. This is similar to its built in facility when using the ssh-agent with user generated certificates. The kerberos approach is similar but has the advantage of not having to manage and distribute the certificate files. A kerberized ssh is useful all by itself, too. The next version of putty ssh client will have kerberos support built in, which will be nice for Windows clients.
samba6. Samba enables a machine to become a server in the kerberos domain. The "net ads ..." command sequences allow joining a domain and generating other service certificates if desired/necessary. I recompiled it with support for both PAM and ads (active directory). Obviously, one important server is the server doing CIFS (Windows file sharing). This could be the main part and motivation of the entire project: to substitute work-alike Slackware file servers where Microsoft Windows file servers would otherwise be required.
openldap7. I am not sure that I needed to modify this package because of the approach that I ended up using instead- I used nss-pam-ldapd (more below). However, working with a gssapi/kerberos enabled client did give me some practice querying the AD structure directly with the command, ldapsearch.
By the way, the original Fedora directory server project (now, the 389 project) claims to be able to replace the entire kerberos infrastructure, including the KDC. This will also be easier when Samba 4 is released. In my project I was using a real Windows 2003 R2 domain controller with the SFU 3.5 component and the updated schema for R2. That way I wasn't starting from absolute zero.
nss-pam-ldapd8. This program sets up a daemon which holds a kerberos tgt. The daemon then is designed to query the AD structure and extend the entries in the passwd and group files. (Note: shadow is not extended, because authentication will be by kerberos tickets. There will be no passwords in the clear sent over the network.)
I like this program because it does exactly what I want it to do. I think the earlier generation from padl software may require a paid license to use. Thanks to Arthur de Jong for developing this very useful software.
pam-krb59. This component is a PAM module which authenticates users at logon and automatically gets an initial kerberos tgt for them to use in their logon session. Thanks to Russ Allbery for developing this very useful software.
xscreensaver10. The default xscreensaver only uses "shadow" based passwords to unlock. I recompiled with PAM support, which in turn linked back to the pam-krb5 module.
xdm11. xdm controls login at runlevel 4. I have not fixed this, yet. It should be a matter of recompiling with either pam/kerberes per the xscreensaver, but I am not sure.
Other useful links found along the way
Trademarks and Copyrights
Slackware is a registered trademark of Patrick Volkerding and Slackware Linux, Inc.
Linux is registered trademark of Linus Torvalds.
Active Directory is a registered trademark of Microsoft Corp.
Page last modified: 2010-11-02