Using Kerberos Authentication on openSUSE

This guide will show you how to use openSUSE with BU’s Kerberos system. After following this guide you should be able to log in with your BU user name and password (the one you use to log in to the Links as well as public computers). You must either be physically connected to the BU network for this to work. Using VPN most likely will not work since the system must connect to the BU network during the login process, prior to connecting via VPN.

Contents

Contents

  1. Using Kerberos Authentication on openSUSE
  2. Setting Up Kerberos Authentication

    1. During Installation
    2. On An Installed System
  3. Join the AD Domain

    1. Test the Settings
  4. Troubleshooting

    1. Change User ID
    2. Enable “Use Default Domain”
    3. Manual Kerberos Client Configuration

Setting Up Kerberos Authentication

There are two ways to connect to use kerberos for authentication. The first method is to set it up during a clean install of openSUSE. The second method is to install it on an already working openSUSE system. Doing it during installation of openSUSE is slightly easier, since you do not have to worry about user accounts or finding Yast. Setting it up on a clean install has only been tested on openSUSE 11.2 and 11.1, setting it up on an existing system has been tested on 11.2, 11.1, and 11.0 and should be largely the same on 10.3.

During Installation

During installation, you will reach a page called “Create New User” where it asks you to specify a username and password. Do not bother doing so, since it will be erased. Instead, click the “change” button below the summary. In the “Authentication Method” section, select “Windows Domain” and then “Accept”. You will find all the options in the Create New User page have been disabled. Click Next, then proceed with the installation. The page for configuring the windows domain will not come until the end of the set up. Skip ahead to Join the AD Domain.

On An Installed System

This assume that you have a working desktop environment, either KDE or GNOME, and a working network connection, and that you have not intentionally deleted any of the Yast packages. It is also assumed you know the root password or have configured your system to allow non-root access to root files and programs (the latter is strongly discouraged since it leaves your system totally unsecured). If you cannot find the Yast modules described below, make sure you have the yast2-users and yast2-samba-client packages installed. See Software Installation

Join the AD Domain

If you are using an existing installation, in Yast, click the “Network Services” icon the left (not “Network Devices”). Click “Windows Domain Membership”. If you are doing a clean installation proceed normally until you reach the “Create New User” screen. Click the “Change” button, and then check the Set Up Kerberos Authentication box. From here on the two processes are largely the same.

The system may ask to install some packages. Agree, and wait until it is finishes with various housekeeping tasks. You should ultimately end with a page with “Membership” at the top. Under “Domain or Workgroup”, enter ad.bu.edu (this is not case-sensitive). There are four check boxes immediately below. Check them all. Do not check the boxes in the “Sharing by Users” section unless you know what you are doing. The “offline authentication” box may uncheck itself in the future, don’t worry the setting is still in effect. Click “Expert Settings”. Change both the Minimum numbers to be the same as in Local Security above, and the Maximum numbers to be 99999, then click OK. Next click the “NTP Configuration…” button at the bottom and follow the instructions at NTP Configuration. If you are using openSUSE 11.1 or later you can configure Network Drives during installation (See Samba)). This is fine for 11.2 but for 11.1 this does not appear to work reliably so it is probably better to wait until the system is installed. Click Finish again.

It will ask if you want to join the domain AD. Click “Yes”. You will be provided with a place to enter a user name and password. If you have administrator access to an AD group you can put your user name or password in here. Otherwise you will need someone else with administrator access. Use just the username not ad\username, and click “OK”. If it doesn’t allow you to join, try again but instead of “OK” click “Obtain”. This will obtain a list of all active directory groups. Unfortunately this will be a really long list without any apparent order. You will have to find the correct group by hand and then click on it. Then click “OK”. You should get a message that you have joined the domain. If you get an error verify the settings and try again. If it asks to install additional packages, agree. If you are installing the system finish the installation and then do the following steps. Otherwise you can do them now.

Test the Settings

Close all programs then restart your computer. If you are using openSUSE 11.1 or later there should be a drop-down box that either says “(local)” or “AD”. Make sure it is set to AD. Try logging in using your BU kerberos user name and password. If you have previously logged into the computer with your current login you may get an error from KDE or GNOME during the login, in which case you will need to Change your User ID. Although it is an option, it is better if you do not put AD or AD\ in front of your user name. If you can\’t log in then try logging with AD\ in front of your username. If that works you will have to Enable “Use Default Domain”. If logging in with AD\ in front of your username still doesn’t work, log in as root and verify all of your settings.

When you successfully log in for the first time with a specific username, it may tell you that it is making a home directory and various subdirectories and configuration files. Just click “OK” until the messages go away. Open up a terminal and enter “klist”. You should have a kerberos 5 ticket listed. If not verify your settings are correct, reboot, and try again. If you get a message about the clock being off make sure your ntp configuration lists a valid server, then reboot. You can get to ntp configuration in Yast’s Network Services section.

Troubleshooting

Change User ID

If you have previously logged into the system as a particular user and get errors during login after joining the AD domain, you probably have permission errors. In the login screen, there should be an “Session” menu or some other similar menu that lists different environments you can log into. Remember what it is set to currently, and change it to “Failsafe Session”. Login using your kerberos username and password and get your new user ID by running “echo $UID”. Next run “ls -ln”, which should give you a list of files. The third column should have mostly the same number, although it may have a few numbers equal to your new user ID. The number that is not your new user ID is your old user ID. Next, run the following command, replacing oldUID with your old user ID and newUID with your new user ID. You will be asked for the root password, go ahead and give it.

sudo chown -R --from=oldUID newUID ./

You should be able to log out, set the session back to what it was before, and then log back in.

Enable “Use Default Domain”

Only do this if you cannot log in within putting AD\ in front of your username.

If Yast is open, leave it open. Otherwise open it. Open a terminal (see Command-line Installation for instructions how).

If you are using vim, run:

sudo vim /etc/samba/smb.conf

You can replace “vim” with any command-line text editor, such as emacs. Sudo allows you to run a single command as root. openSUSE is configured by default to not allow sudo to be used with graphical programs. If you are using a KDE with a graphical text editor, use kdesu in place of sudo. If you are using a GNOME us gnomesu (this is the same as gksu in some other distributions.

As long as you have both desktop environments installed you can use kdesu inside GNOME and gnomesu inside KDE. As long as it is installed the text editors don’t care what desktop environment you use, so kwrite and kate will work in GNOME while gedit will work in KDE. But it is better to stick with the desktop environment you are currently running. You cannot use sudo in place of kdesu or gnomesu by default, however.

Whatever method you use you will be prompted for a password. Enter the root password to continue. At the end of the [global] section, add the following line:

winbind use default domain = yes

Save and close the file

Manual Kerberos Client Configuration

In Yast, click the “Network Services” icon the left if it is not already selected. Click “Kerberos Client”. If it asks to install any packages, agree. When Kerberos Client Configuration screen appears, click “Use Kerberos” and then “Finish”. Allow it to install any additional packages.

Next, download the krb5.conf file from here. Open a terminal (see Command-line Installation for instructions how). Navigate to the folder where you downloaded the krb5.conf file, and run the following two commands:

sudo cp /etc/krb5.conf /etc/krb5back.conf
sudo cp krb5.conf /etc/krb5.conf

The first backs up your old krb5.conf file, while the second replaces it with BU’s version.